Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

net/http: does not verify validity of Host header #11206

Closed
dvyukov opened this issue Jun 13, 2015 · 6 comments
Closed

net/http: does not verify validity of Host header #11206

dvyukov opened this issue Jun 13, 2015 · 6 comments
Milestone

Comments

@dvyukov
Copy link
Member

dvyukov commented Jun 13, 2015

Request parsing does not verify validity of Host header, in particular it can contain spaces.
This leads to weird possibilities like:

package main

import (
    "bufio"
    "bytes"
    "os"
    "net/http"
)

func main() {
    data := []byte("GET http:/1.1 HTTP/1.1\nHost: host.com/somethingelse HTTP\n\n")
    r, err := http.ReadRequest(bufio.NewReader(bytes.NewReader(data)))
    if err != nil {
        panic(err)
    }
    r.WriteProxy(os.Stdout)
}
GET http://host.com/somethingelse HTTP/1.1 HTTP/1.1
Host: host.com/somethingelse HTTP
User-Agent: Go 1.1 package http

which I guess can trick some other HTTP implementation.

go version devel +a1fe3b5 Sat Jun 13 04:33:26 2015 +0000 linux/amd64

@ianlancetaylor ianlancetaylor added this to the Go1.5Maybe milestone Jun 13, 2015
@jeffallen
Copy link
Contributor

I have a fix for this, for discussion purposes. I think it's 50% likely Brad will barf all over it, but hopefully his feedback will lead me to the right fix.. :)

@gopherbot
Copy link
Contributor

CL https://golang.org/cl/11241 mentions this issue.

@fyelles
Copy link

fyelles commented Jun 19, 2015

@jeffallen, Did you notify the mailing list that you were working on this ? as mentioned in https://golang.org/doc/contribute.html > Discuss your design

I was working on the same bug and was just ready to submit it...
It's OK because it was a small one...

@rsc
Copy link
Contributor

rsc commented Jun 29, 2015

For the record, it's not necessary to notify the mailing list when you are working on a simple bug fix. It's fine to say something on the github issue if you are worried about duplicating effort.

rsc pushed a commit that referenced this issue Jul 15, 2015
A malformed Host header can result in a malformed HTTP request.
Clean them to avoid this.

Updates #11206. We may come back and make this stricter for 1.6.

Change-Id: I23c7d821cd9dbf66c3c15d26750f305e3672d984
Reviewed-on: https://go-review.googlesource.com/11241
Reviewed-by: Russ Cox <rsc@golang.org>
@rsc
Copy link
Contributor

rsc commented Jul 20, 2015

Leaving open because the CL says "We may come back and make this stricter for 1.6."

@gopherbot
Copy link
Contributor

CL https://golang.org/cl/17892 mentions this issue.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

7 participants