]> Cypherpunks repositories - gostls13.git/commit
projects / gostls13.git / commit
summary | shortlog | log | commit | commitdiff | tree
(parent: 4db13d7) | patch
[release-branch.go1.20] net/http: validate Host header before sending
authorDamien Neil <dneil@google.com>
Wed, 28 Jun 2023 20:20:08 +0000 (13:20 -0700)
committerJoedian Reid <joedian@golang.org>
Thu, 6 Jul 2023 19:41:17 +0000 (19:41 +0000)
commit312920c00aac9897b2a0693e752390b5b0711a5a
tree72590fc63672b3370f3027e53d7be29c6316310ctree
parent4db13d762ba3f3487677087a3c5a6221b4c3bd8fcommit | diff
[release-branch.go1.20] net/http: validate Host header before sending

Verify that the Host header we send is valid.
Avoids surprising behavior such as a Host of "go.dev\r\nX-Evil:oops"
adding an X-Evil header to HTTP/1 requests.

Add a test, skip the test for HTTP/2. HTTP/2 is not vulnerable to
header injection in the way HTTP/1 is, but x/net/http2 doesn't validate
the header and will go into a retry loop when the server rejects it.
CL 506995 adds the necessary validation to x/net/http2.

For #60374
Fixes #61076
For CVE-2023-29406

Change-Id: I05cb6866a9bead043101954dfded199258c6dd04
Reviewed-on: https://go-review.googlesource.com/c/go/+/506996
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Damien Neil <dneil@google.com>
(cherry picked from commit 499458f7ca04087958987a33c2703c3ef03e27e2)
Reviewed-on: https://go-review.googlesource.com/c/go/+/507357
Reviewed-by: Damien Neil <dneil@google.com>
Run-TryBot: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
src/net/http/http_test.go diff | blob | history
src/net/http/request.go diff | blob | history
src/net/http/request_test.go diff | blob | history
src/net/http/transport_test.go diff | blob | history
Go GOST TLS 1.3