]> Cypherpunks.ru repositories - gostls13.git/commit
projects / gostls13.git / commit
summary | shortlog | log | commit | commitdiff | tree
(parent: fe73c18) | patch
net/http: validate Host header before sending
authorDamien Neil <dneil@google.com>
Wed, 28 Jun 2023 20:20:08 +0000 (13:20 -0700)
committerDamien Neil <dneil@google.com>
Thu, 29 Jun 2023 17:00:06 +0000 (17:00 +0000)
commit499458f7ca04087958987a33c2703c3ef03e27e2
treeba0a1dc6e81eb34d677972cb9613ff760bb93e33tree
parentfe73c186eba2c849a2f2aeaca091ddb5bac3aef1commit | diff
net/http: validate Host header before sending

Verify that the Host header we send is valid.
Avoids surprising behavior such as a Host of "go.dev\r\nX-Evil:oops"
adding an X-Evil header to HTTP/1 requests.

Add a test, skip the test for HTTP/2. HTTP/2 is not vulnerable to
header injection in the way HTTP/1 is, but x/net/http2 doesn't validate
the header and will go into a retry loop when the server rejects it.
CL 506995 adds the necessary validation to x/net/http2.

For #60374

Change-Id: I05cb6866a9bead043101954dfded199258c6dd04
Reviewed-on: https://go-review.googlesource.com/c/go/+/506996
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Damien Neil <dneil@google.com>
src/net/http/http_test.go diff | blob | history
src/net/http/request.go diff | blob | history
src/net/http/request_test.go diff | blob | history
src/net/http/transport_test.go diff | blob | history
Go GOST TLS 1.3