Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

net/http: does not verify validity of Host header #11206

Closed
dvyukov opened this issue Jun 13, 2015 · 6 comments
Closed

net/http: does not verify validity of Host header #11206

dvyukov opened this issue Jun 13, 2015 · 6 comments
Labels
FrozenDueToAge
Milestone
Go1.6

Comments

@dvyukov
Copy link
Member

dvyukov commented Jun 13, 2015

Request parsing does not verify validity of Host header, in particular it can contain spaces.
This leads to weird possibilities like:

package main

import (
    "bufio"
    "bytes"
    "os"
    "net/http"
)

func main() {
    data := []byte("GET http:/1.1 HTTP/1.1\nHost: host.com/somethingelse HTTP\n\n")
    r, err := http.ReadRequest(bufio.NewReader(bytes.NewReader(data)))
    if err != nil {
        panic(err)
    }
    r.WriteProxy(os.Stdout)
}
GET http://host.com/somethingelse HTTP/1.1 HTTP/1.1
Host: host.com/somethingelse HTTP
User-Agent: Go 1.1 package http

which I guess can trick some other HTTP implementation.

go version devel +a1fe3b5 Sat Jun 13 04:33:26 2015 +0000 linux/amd64
@ianlancetaylor ianlancetaylor added this to the Go1.5Maybe milestone Jun 13, 2015
@jeffallen
Copy link
Contributor

I have a fix for this, for discussion purposes. I think it's 50% likely Brad will barf all over it, but hopefully his feedback will lead me to the right fix.. :)

@gopherbot
Copy link

CL https://golang.org/cl/11241 mentions this issue.

@fyelles
Copy link

fyelles commented Jun 19, 2015

@jeffallen, Did you notify the mailing list that you were working on this ? as mentioned in https://golang.org/doc/contribute.html > Discuss your design

I was working on the same bug and was just ready to submit it...
It's OK because it was a small one...

@bradfitz bradfitz mentioned this issue Jun 19, 2015
Closed
@rsc
Copy link
Contributor

rsc commented Jun 29, 2015

For the record, it's not necessary to notify the mailing list when you are working on a simple bug fix. It's fine to say something on the github issue if you are worried about duplicating effort.

rsc pushed a commit that referenced this issue Jul 15, 2015
@jeffallen @rsc
net/http: do not allow space or slash in Host headers
0c72eeb 
A malformed Host header can result in a malformed HTTP request.
Clean them to avoid this.

Updates #11206. We may come back and make this stricter for 1.6.

Change-Id: I23c7d821cd9dbf66c3c15d26750f305e3672d984
Reviewed-on: https://go-review.googlesource.com/11241
Reviewed-by: Russ Cox <rsc@golang.org>
@rsc
Copy link
Contributor

rsc commented Jul 20, 2015

Leaving open because the CL says "We may come back and make this stricter for 1.6."

@rsc rsc modified the milestones: Go1.6, Go1.5Maybe Jul 20, 2015
@bradfitz bradfitz mentioned this issue Dec 15, 2015
Closed
@gopherbot
Copy link

CL https://golang.org/cl/17892 mentions this issue.

This was referenced Apr 4, 2016
Closed
Closed
@bradfitz bradfitz mentioned this issue Apr 14, 2016
Closed
@golang golang locked and limited conversation to collaborators Dec 29, 2016
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge
Projects
None yet
Milestone
Go1.6
Development

No branches or pull requests
7 participants
@bradfitz @rsc @fyelles @dvyukov @jeffallen @ianlancetaylor @gopherbot