Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

net/http: insufficient sanitization of Host header [1.19 backport] #61075

Closed
gopherbot opened this issue Jun 29, 2023 · 3 comments
Closed

net/http: insufficient sanitization of Host header [1.19 backport] #61075

gopherbot opened this issue Jun 29, 2023 · 3 comments
Labels
CherryPickApproved Used during the release process for point releases release-blocker Security
Milestone
Go1.19.11

Comments

@gopherbot
Copy link

@neild requested issue #60374 to be considered for backport to the next 1.19 minor release.

@gopherbot please open backport issues. This is a (fairly minor) security issue.
@gopherbot gopherbot added the CherryPickCandidate Used during the release process for point releases label Jun 29, 2023
@gopherbot gopherbot mentioned this issue Jun 29, 2023
Closed
@gopherbot gopherbot added this to the Go1.19.11 milestone Jun 29, 2023
@gopherbot
Copy link
Author

Change https://go.dev/cl/507358 mentions this issue: net/http: validate Host header before sending

@tatianab tatianab added release-blocker CherryPickApproved Used during the release process for point releases Security and removed release-blocker CherryPickCandidate Used during the release process for point releases labels Jun 30, 2023
@gopherbot
Copy link
Author

Change https://go.dev/cl/507905 mentions this issue: http2: validate Host header before sending

@gopherbot
Copy link
Author

Closed by merging 5fa6923 to release-branch.go1.19.

gopherbot pushed a commit that referenced this issue Jul 6, 2023
@neild @joedian
[release-branch.go1.19] net/http: validate Host header before sending
5fa6923 
Verify that the Host header we send is valid.
Avoids surprising behavior such as a Host of "go.dev\r\nX-Evil:oops"
adding an X-Evil header to HTTP/1 requests.

Add a test, skip the test for HTTP/2. HTTP/2 is not vulnerable to
header injection in the way HTTP/1 is, but x/net/http2 doesn't validate
the header and will go into a retry loop when the server rejects it.
CL 506995 adds the necessary validation to x/net/http2.

Updates #60374
Fixes #61075
For CVE-2023-29406

Change-Id: I05cb6866a9bead043101954dfded199258c6dd04
Reviewed-on: https://go-review.googlesource.com/c/go/+/506996
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Damien Neil <dneil@google.com>
(cherry picked from commit 499458f)
Reviewed-on: https://go-review.googlesource.com/c/go/+/507358
Run-TryBot: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
@bcmills bcmills mentioned this issue Jul 20, 2023
Closed
zregvart added a commit to zregvart/ec-cli that referenced this issue Jul 21, 2023
@zregvart
Fix acceptance tests container launching issue
1c2c185 
A change[1] was backported to golang 1.19 that introduces additional
checks on the `Host` HTTP header. The docker client connecting via
Unix domain socket to the docker daemon does not specify the `Host`
header and that triggers the error `http: invalid Host header`.

The fix[2] was introduced in an unreleased version[3] of docker client
which we use via commit id here to resolve the issue.

[1] golang/go#61075
[2] moby/moby#45935
[3] moby/moby#45971
@zregvart zregvart mentioned this issue Jul 21, 2023
Merged
@kruskall kruskall mentioned this issue Aug 28, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
CherryPickApproved Used during the release process for point releases release-blocker Security
Projects
None yet
Milestone
Go1.19.11
Development

No branches or pull requests
2 participants
@tatianab @gopherbot