docs: warn about underscore header spoofing in NewRequestWithContext#2460
Merged
Conversation
CGI maps dashes to underscores, so a client-supplied Foo_Bar header is indistinguishable from Foo-Bar in $_SERVER and can spoof it. Document that callers must drop underscore headers (the Caddy server and proxies like nginx already do) and show it in the ServeHTTP example.
Contributor
There was a problem hiding this comment.
Pull request overview
This PR documents a header-spoofing risk when using the Go API NewRequestWithContext: HTTP header names containing underscores are not stripped, and due to CGI’s dash-to-underscore mapping, an attacker can spoof trusted headers once they are projected into $_SERVER. It also updates the ExampleServeHTTP snippet to demonstrate a safe mitigation (dropping underscore-containing headers) before constructing the FrankenPHP request.
Changes:
- Add a doc comment to
NewRequestWithContextwarning about underscore header spoofing via CGI header mapping and recommending mitigation. - Update
ExampleServeHTTPto remove request headers containing underscores prior to callingNewRequestWithContext.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
frankenphp_test.go |
Updates the public example to drop underscore-containing headers before creating the FrankenPHP request. |
context.go |
Adds documentation warning callers about underscore header spoofing risk and recommended mitigation. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Document that
NewRequestWithContextdoes not strip request headers whose name contains an underscore.Why
CGI maps dashes to underscores (
Foo-BarbecomesHTTP_FOO_BAR), so a client-suppliedFoo_Barheader is indistinguishable from a legitimateFoo-Barin$_SERVERand can spoof it. This affects any such header an application or upstream proxy trusts (forwarded-for, auth, etc.).The Caddy-based server and reverse proxies like nginx (
underscores_in_headers off) already drop these. Callers using the Go API directly must do it themselves unless they explicitly whitelist them.Changes
NewRequestWithContextexplaining the risk and mitigation.ExampleServeHTTPnow drops underscore headers before building the request.