net/http: permit incoming CONNECT requests without Host headers

Apparently they exist in the wild. See:
https://github.com/golang/go/issues/18215#issuecomment-301182496
(Facebook / iOS)

Fixes #18215

Change-Id: I9ddad3896b5d784cb3f5b3ee9c6819081a4a2702
Reviewed-on: https://go-review.googlesource.com/44004
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Matt Layher <mdlayher@gmail.com>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>

diff --git a/src/net/http/serve_test.go b/src/net/http/serve_test.go
index 80fcc8c407125ec6b6ef3b3ad3c0cce5b2acf229..2897c15228062d9fde19b46aae560498f34a5fb6 100644 (file)
--- a/src/net/http/serve_test.go
+++ b/src/net/http/serve_test.go
@@ -4358,6 +4358,9 @@ func TestServerValidatesHostHeader(t *testing.T) {
                // Make an exception for HTTP upgrade requests:
                {"PRI * HTTP/2.0", "", 200},
 
+               // Also an exception for CONNECT requests: (Issue 18215)
+               {"CONNECT golang.org:443 HTTP/1.1", "", 200},
+
                // But not other HTTP/2 stuff:
                {"PRI / HTTP/2.0", "", 400},
                {"GET / HTTP/2.0", "", 400},

diff --git a/src/net/http/server.go b/src/net/http/server.go
index b60bd2481e4248c6d97ae4ef5892542023a6b538..a8d32459e0759ac1e3ef1a5c3da73ad0fa22c048 100644 (file)
--- a/src/net/http/server.go
+++ b/src/net/http/server.go
@@ -943,7 +943,7 @@ func (c *conn) readRequest(ctx context.Context) (w *response, err error) {
 
        hosts, haveHost := req.Header["Host"]
        isH2Upgrade := req.isH2Upgrade()
-       if req.ProtoAtLeast(1, 1) && (!haveHost || len(hosts) == 0) && !isH2Upgrade {
+       if req.ProtoAtLeast(1, 1) && (!haveHost || len(hosts) == 0) && !isH2Upgrade && req.Method != "CONNECT" {
                return nil, badRequestError("missing required Host header")
        }
        if len(hosts) > 1 {