From ad7320acc4c05860b1527d55a6044017013d8969 Mon Sep 17 00:00:00 2001
From: Brad Fitzpatrick <bradfitz@golang.org>
Date: Tue, 29 May 2018 20:19:24 +0000
Subject: [PATCH] net/http: document that Handlers are resposible for
 validating Host headers

Fixes #23993

Change-Id: I112415c894e8c680bfc17d53772275430e46794b
Reviewed-on: https://go-review.googlesource.com/115116
Reviewed-by: Tim Cooper <tim.cooper@layeh.com>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
---
 src/net/http/request.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/net/http/request.go b/src/net/http/request.go
index 7c4325027c..ea2d51fee5 100644
--- a/src/net/http/request.go
+++ b/src/net/http/request.go
@@ -214,6 +214,11 @@ type Request struct {
 	// names, Host may be in Punycode or Unicode form. Use
 	// golang.org/x/net/idna to convert it to either format if
 	// needed.
+	// To prevent DNS rebinding attacks, server Handlers should
+	// validate that the Host header has a value for which the
+	// Handler considers itself authoritative. The included
+	// ServeMux supports patterns registered to particular host
+	// names and thus protects its registered Handlers.
 	//
 	// For client requests Host optionally overrides the Host
 	// header to send. If empty, the Request.Write method uses
-- 
2.48.1