Skip to content

net/http: does not verify validity of Host header #11206

New issue
New issue
Closed
Closed
net/http: does not verify validity of Host header#11206
Labels
FrozenDueToAge
Milestone
 
Go1.6
@dvyukov

Description

@dvyukov
dvyukov
opened on Jun 13, 2015

Request parsing does not verify validity of Host header, in particular it can contain spaces.
This leads to weird possibilities like:

package main

import (
    "bufio"
    "bytes"
    "os"
    "net/http"
)

func main() {
    data := []byte("GET http:/1.1 HTTP/1.1\nHost: host.com/somethingelse HTTP\n\n")
    r, err := http.ReadRequest(bufio.NewReader(bytes.NewReader(data)))
    if err != nil {
        panic(err)
    }
    r.WriteProxy(os.Stdout)
}
GET http://host.com/somethingelse HTTP/1.1 HTTP/1.1
Host: host.com/somethingelse HTTP
User-Agent: Go 1.1 package http

which I guess can trick some other HTTP implementation.

go version devel +a1fe3b5 Sat Jun 13 04:33:26 2015 +0000 linux/amd64

Metadata

Metadata

Assignees

No one assigned

    Labels

    FrozenDueToAge

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions