Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

net/http: does not verify validity of Host header #11206

Closed
dvyukov opened this issue Jun 13, 2015 · 6 comments

Comments

Projects
None yet
7 participants
@dvyukov
Copy link
Member

commented Jun 13, 2015

Request parsing does not verify validity of Host header, in particular it can contain spaces.
This leads to weird possibilities like:

package main

import (
    "bufio"
    "bytes"
    "os"
    "net/http"
)

func main() {
    data := []byte("GET http:/1.1 HTTP/1.1\nHost: host.com/somethingelse HTTP\n\n")
    r, err := http.ReadRequest(bufio.NewReader(bytes.NewReader(data)))
    if err != nil {
        panic(err)
    }
    r.WriteProxy(os.Stdout)
}
GET http://host.com/somethingelse HTTP/1.1 HTTP/1.1
Host: host.com/somethingelse HTTP
User-Agent: Go 1.1 package http

which I guess can trick some other HTTP implementation.

go version devel +a1fe3b5 Sat Jun 13 04:33:26 2015 +0000 linux/amd64

@ianlancetaylor ianlancetaylor added this to the Go1.5Maybe milestone Jun 13, 2015

@jeffallen

This comment has been minimized.

Copy link
Contributor

commented Jun 18, 2015

I have a fix for this, for discussion purposes. I think it's 50% likely Brad will barf all over it, but hopefully his feedback will lead me to the right fix.. :)

@gopherbot

This comment has been minimized.

Copy link

commented Jun 18, 2015

CL https://golang.org/cl/11241 mentions this issue.

@fyelles

This comment has been minimized.

Copy link

commented Jun 19, 2015

@jeffallen, Did you notify the mailing list that you were working on this ? as mentioned in https://golang.org/doc/contribute.html > Discuss your design

I was working on the same bug and was just ready to submit it...
It's OK because it was a small one...

@rsc

This comment has been minimized.

Copy link
Contributor

commented Jun 29, 2015

For the record, it's not necessary to notify the mailing list when you are working on a simple bug fix. It's fine to say something on the github issue if you are worried about duplicating effort.

rsc added a commit that referenced this issue Jul 15, 2015

net/http: do not allow space or slash in Host headers
A malformed Host header can result in a malformed HTTP request.
Clean them to avoid this.

Updates #11206. We may come back and make this stricter for 1.6.

Change-Id: I23c7d821cd9dbf66c3c15d26750f305e3672d984
Reviewed-on: https://go-review.googlesource.com/11241
Reviewed-by: Russ Cox <rsc@golang.org>
@rsc

This comment has been minimized.

Copy link
Contributor

commented Jul 20, 2015

Leaving open because the CL says "We may come back and make this stricter for 1.6."

@gopherbot

This comment has been minimized.

Copy link

commented Dec 16, 2015

CL https://golang.org/cl/17892 mentions this issue.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
You can’t perform that action at this time.