Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

net/http: insufficient sanitization of Host header [1.19 backport] #61075

Closed
gopherbot opened this issue Jun 29, 2023 · 3 comments
Closed

net/http: insufficient sanitization of Host header [1.19 backport] #61075

gopherbot opened this issue Jun 29, 2023 · 3 comments
Labels
CherryPickApproved Used during the release process for point releases FrozenDueToAge release-blocker Security
Milestone

Comments

@gopherbot
Copy link
Contributor

@neild requested issue #60374 to be considered for backport to the next 1.19 minor release.

@gopherbot please open backport issues. This is a (fairly minor) security issue.

@gopherbot gopherbot added the CherryPickCandidate Used during the release process for point releases label Jun 29, 2023
@gopherbot gopherbot added this to the Go1.19.11 milestone Jun 29, 2023
@gopherbot
Copy link
Contributor Author

Change https://go.dev/cl/507358 mentions this issue: net/http: validate Host header before sending

@tatianab tatianab added release-blocker CherryPickApproved Used during the release process for point releases Security and removed release-blocker CherryPickCandidate Used during the release process for point releases labels Jun 30, 2023
@gopherbot
Copy link
Contributor Author

Change https://go.dev/cl/507905 mentions this issue: http2: validate Host header before sending

@gopherbot
Copy link
Contributor Author

Closed by merging 5fa6923 to release-branch.go1.19.

gopherbot pushed a commit that referenced this issue Jul 6, 2023
Verify that the Host header we send is valid.
Avoids surprising behavior such as a Host of "go.dev\r\nX-Evil:oops"
adding an X-Evil header to HTTP/1 requests.

Add a test, skip the test for HTTP/2. HTTP/2 is not vulnerable to
header injection in the way HTTP/1 is, but x/net/http2 doesn't validate
the header and will go into a retry loop when the server rejects it.
CL 506995 adds the necessary validation to x/net/http2.

Updates #60374
Fixes #61075
For CVE-2023-29406

Change-Id: I05cb6866a9bead043101954dfded199258c6dd04
Reviewed-on: https://go-review.googlesource.com/c/go/+/506996
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Damien Neil <dneil@google.com>
(cherry picked from commit 499458f)
Reviewed-on: https://go-review.googlesource.com/c/go/+/507358
Run-TryBot: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
zregvart added a commit to zregvart/ec-cli that referenced this issue Jul 21, 2023
A change[1] was backported to golang 1.19 that introduces additional
checks on the `Host` HTTP header. The docker client connecting via
Unix domain socket to the docker daemon does not specify the `Host`
header and that triggers the error `http: invalid Host header`.

The fix[2] was introduced in an unreleased version[3] of docker client
which we use via commit id here to resolve the issue.

[1] golang/go#61075
[2] moby/moby#45935
[3] moby/moby#45971
@golang golang locked and limited conversation to collaborators Jul 5, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
CherryPickApproved Used during the release process for point releases FrozenDueToAge release-blocker Security
Projects
None yet
Development

No branches or pull requests

2 participants