net/http: does not verify validity of Host header

[dvyukov]

Request parsing does not verify validity of Host header, in particular it can contain spaces.
This leads to weird possibilities like:

package main

import (
    "bufio"
    "bytes"
    "os"
    "net/http"
)

func main() {
    data := []byte("GET http:/1.1 HTTP/1.1\nHost: host.com/somethingelse HTTP\n\n")
    r, err := http.ReadRequest(bufio.NewReader(bytes.NewReader(data)))
    if err != nil {
        panic(err)
    }
    r.WriteProxy(os.Stdout)
}

GET http://host.com/somethingelse HTTP/1.1 HTTP/1.1
Host: host.com/somethingelse HTTP
User-Agent: Go 1.1 package http

which I guess can trick some other HTTP implementation.

go version devel +a1fe3b5 Sat Jun 13 04:33:26 2015 +0000 linux/amd64

[jeffallen]

I have a fix for this, for discussion purposes. I think it's 50% likely Brad will barf all over it, but hopefully his feedback will lead me to the right fix.. :)

[gopherbot]

CL https://golang.org/cl/11241 mentions this issue.

[fyelles]

@jeffallen, Did you notify the mailing list that you were working on this ? as mentioned in https://golang.org/doc/contribute.html > Discuss your design

I was working on the same bug and was just ready to submit it...
It's OK because it was a small one...

[rsc]

For the record, it's not necessary to notify the mailing list when you are working on a simple bug fix. It's fine to say something on the github issue if you are worried about duplicating effort.

[rsc]

Leaving open because the CL says "We may come back and make this stricter for 1.6."

[gopherbot]

CL https://golang.org/cl/17892 mentions this issue.