net/http: document that Handlers are resposible for validating Host headers

author Brad Fitzpatrick <bradfitz@golang.org>

Tue, 29 May 2018 20:19:24 +0000 (20:19 +0000)

committer Brad Fitzpatrick <bradfitz@golang.org>

Fri, 15 Jun 2018 21:18:01 +0000 (21:18 +0000)
author Brad Fitzpatrick <bradfitz@golang.org>
Tue, 29 May 2018 20:19:24 +0000 (20:19 +0000)
committer Brad Fitzpatrick <bradfitz@golang.org>
Fri, 15 Jun 2018 21:18:01 +0000 (21:18 +0000)
diff --git a/src/net/http/request.go b/src/net/http/request.go

index 7c4325027cf2d4ea1777fe67af287b99dd551b9f..ea2d51fee599f07dacf6f3c192764e7b26da4980 100644 (file)
--- a/src/net/http/request.go
+++ b/src/net/http/request.go
@@ -214,6 +214,11 @@ type Request struct {
         // names, Host may be in Punycode or Unicode form. Use
         // golang.org/x/net/idna to convert it to either format if
         // needed.
+       // To prevent DNS rebinding attacks, server Handlers should
+       // validate that the Host header has a value for which the
+       // Handler considers itself authoritative. The included
+       // ServeMux supports patterns registered to particular host
+       // names and thus protects its registered Handlers.
         //
         // For client requests Host optionally overrides the Host
         // header to send. If empty, the Request.Write method uses
author	Brad Fitzpatrick <bradfitz@golang.org>
	Tue, 29 May 2018 20:19:24 +0000 (20:19 +0000)
committer	Brad Fitzpatrick <bradfitz@golang.org>
	Fri, 15 Jun 2018 21:18:01 +0000 (21:18 +0000)