net/http: go 1.20.6 host validation breaks setting Host to a unix socket address [1.19 backport] #61825
Labels
Milestone
Comments
gopherbot
added
CherryPickCandidate
|
Change https://go.dev/cl/516416 mentions this issue: |
|
Approved. We're going to do an off-cycle 1.19 release for forward compatibility, and we might as well not leave 1.19 broken. |
heschi
added
the
CherryPickApproved
gopherbot
removed
the
CherryPickCandidate
|
Change https://go.dev/cl/518855 mentions this issue: |
|
Closed by merging c08a5fa to release-branch.go1.19. |
gopherbot
pushed a commit
that referenced
this issue
Aug 14, 2023
…eaders Historically, the Transport has silently truncated invalid Host headers at the first '/' or ' ' character. CL 506996 changed this behavior to reject invalid Host headers entirely. Unfortunately, Docker appears to rely on the previous behavior. When sending a HTTP/1 request with an invalid Host, send an empty Host header. This is safer than truncation: If you care about the Host, then you should get the one you set; if you don't care, then an empty Host should be fine. Continue to fully validate Host headers sent to a proxy, since proxies generally can't productively forward requests without a Host. For #60374 Fixes #61431 Fixes #61825 Change-Id: If170c7dd860aa20eb58fe32990fc93af832742b6 Reviewed-on: https://go-review.googlesource.com/c/go/+/511155 TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Roland Shoemaker <roland@golang.org> Run-TryBot: Damien Neil <dneil@google.com> (cherry picked from commit b9153f6) Reviewed-on: https://go-review.googlesource.com/c/go/+/518855 Auto-Submit: Dmitri Shuralyov <dmitshur@google.com> Run-TryBot: Roland Shoemaker <roland@golang.org> Reviewed-by: Russ Cox <rsc@golang.org>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
@neild requested issue #61431 to be considered for backport to the next 1.19 minor release.
The text was updated successfully, but these errors were encountered: