Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

net/http: go 1.20.6 host validation breaks setting Host to a unix socket address [1.19 backport] #61825

Closed
gopherbot opened this issue Aug 7, 2023 · 4 comments
Closed

net/http: go 1.20.6 host validation breaks setting Host to a unix socket address [1.19 backport] #61825

gopherbot opened this issue Aug 7, 2023 · 4 comments
Labels
CherryPickApproved Used during the release process for point releases FrozenDueToAge release-blocker
Milestone
Go1.19.13

Comments

@gopherbot
Copy link
Contributor

@neild requested issue #61431 to be considered for backport to the next 1.19 minor release.

@gopherbot please open backport issues. This is a regression.
@gopherbot gopherbot added CherryPickCandidate Used during the release process for point releases Security labels Aug 7, 2023
@gopherbot gopherbot mentioned this issue Aug 7, 2023
Closed
@gopherbot gopherbot added this to the Go1.19.13 milestone Aug 7, 2023
@mfrw mfrw mentioned this issue Aug 8, 2023
Closed
@gopherbot
Copy link
Contributor Author

Change https://go.dev/cl/516416 mentions this issue: net/http: go 1.20.6 host validation breaks setting Host to a unix socket address

@heschi
Copy link
Contributor

heschi commented Aug 9, 2023

Approved. We're going to do an off-cycle 1.19 release for forward compatibility, and we might as well not leave 1.19 broken.

@heschi heschi added the CherryPickApproved Used during the release process for point releases label Aug 9, 2023
@gopherbot gopherbot removed the CherryPickCandidate Used during the release process for point releases label Aug 9, 2023
@dmitshur dmitshur removed the Security label Aug 9, 2023
@neild neild mentioned this issue Aug 9, 2023
Closed
@gopherbot
Copy link
Contributor Author

Change https://go.dev/cl/518855 mentions this issue: [release-branch.go1.19] net/http: permit requests with invalid Host headers

@gopherbot
Copy link
Contributor Author

Closed by merging c08a5fa to release-branch.go1.19.

gopherbot pushed a commit that referenced this issue Aug 14, 2023
@neild @gopherbot
[release-branch.go1.19] net/http: permit requests with invalid Host h…
c08a5fa 
…eaders

Historically, the Transport has silently truncated invalid
Host headers at the first '/' or ' ' character. CL 506996 changed
this behavior to reject invalid Host headers entirely.
Unfortunately, Docker appears to rely on the previous behavior.

When sending a HTTP/1 request with an invalid Host, send an empty
Host header. This is safer than truncation: If you care about the
Host, then you should get the one you set; if you don't care,
then an empty Host should be fine.

Continue to fully validate Host headers sent to a proxy,
since proxies generally can't productively forward requests
without a Host.

For #60374
Fixes #61431
Fixes #61825

Change-Id: If170c7dd860aa20eb58fe32990fc93af832742b6
Reviewed-on: https://go-review.googlesource.com/c/go/+/511155
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Roland Shoemaker <[email protected]>
Run-TryBot: Damien Neil <[email protected]>
(cherry picked from commit b9153f6)
Reviewed-on: https://go-review.googlesource.com/c/go/+/518855
Auto-Submit: Dmitri Shuralyov <[email protected]>
Run-TryBot: Roland Shoemaker <[email protected]>
Reviewed-by: Russ Cox <[email protected]>
@golang golang locked and limited conversation to collaborators Aug 13, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
CherryPickApproved Used during the release process for point releases FrozenDueToAge release-blocker
Projects
None yet
Milestone
Go1.19.13
Development

No branches or pull requests
3 participants
@dmitshur @gopherbot @heschi