From: Brad Fitzpatrick <bradfitz@golang.org>
Date: Tue, 29 May 2018 20:19:24 +0000 (+0000)
Subject: net/http: document that Handlers are resposible for validating Host headers
X-Git-Tag: go1.11beta1~73
X-Git-Url: http://www.git.cypherpunks.su/?a=commitdiff_plain;h=ad7320acc4c05860b1527d55a6044017013d8969;p=gostls13.git

net/http: document that Handlers are resposible for validating Host headers

Fixes #23993

Change-Id: I112415c894e8c680bfc17d53772275430e46794b
Reviewed-on: https://go-review.googlesource.com/115116
Reviewed-by: Tim Cooper <tim.cooper@layeh.com>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
---

diff --git a/src/net/http/request.go b/src/net/http/request.go
index 7c4325027c..ea2d51fee5 100644
--- a/src/net/http/request.go
+++ b/src/net/http/request.go
@@ -214,6 +214,11 @@ type Request struct {
 	// names, Host may be in Punycode or Unicode form. Use
 	// golang.org/x/net/idna to convert it to either format if
 	// needed.
+	// To prevent DNS rebinding attacks, server Handlers should
+	// validate that the Host header has a value for which the
+	// Handler considers itself authoritative. The included
+	// ServeMux supports patterns registered to particular host
+	// names and thus protects its registered Handlers.
 	//
 	// For client requests Host optionally overrides the Host
 	// header to send. If empty, the Request.Write method uses