-
Notifications
You must be signed in to change notification settings - Fork 17.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
net/http: go 1.20.6 host validation breaks setting Host to a unix socket address [1.20 backport] #61826
Labels
CherryPickApproved
Used during the release process for point releases
FrozenDueToAge
release-blocker
Milestone
Comments
gopherbot
added
CherryPickCandidate
Used during the release process for point releases
Security
labels
Aug 7, 2023
heschi
added
the
CherryPickApproved
Used during the release process for point releases
label
Aug 9, 2023
gopherbot
removed
the
CherryPickCandidate
Used during the release process for point releases
label
Aug 9, 2023
Change https://go.dev/cl/518756 mentions this issue: |
Closed by merging ede3e27 to release-branch.go1.20. |
gopherbot
pushed a commit
that referenced
this issue
Aug 14, 2023
…eaders Historically, the Transport has silently truncated invalid Host headers at the first '/' or ' ' character. CL 506996 changed this behavior to reject invalid Host headers entirely. Unfortunately, Docker appears to rely on the previous behavior. When sending a HTTP/1 request with an invalid Host, send an empty Host header. This is safer than truncation: If you care about the Host, then you should get the one you set; if you don't care, then an empty Host should be fine. Continue to fully validate Host headers sent to a proxy, since proxies generally can't productively forward requests without a Host. For #60374 Fixes #61431 Fixes #61826 Change-Id: If170c7dd860aa20eb58fe32990fc93af832742b6 Reviewed-on: https://go-review.googlesource.com/c/go/+/511155 TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Roland Shoemaker <roland@golang.org> Run-TryBot: Damien Neil <dneil@google.com> (cherry picked from commit b9153f6) Reviewed-on: https://go-review.googlesource.com/c/go/+/518756 Auto-Submit: Dmitri Shuralyov <dmitshur@google.com> Reviewed-by: Russ Cox <rsc@golang.org> Run-TryBot: Roland Shoemaker <roland@golang.org>
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
CherryPickApproved
Used during the release process for point releases
FrozenDueToAge
release-blocker
@neild requested issue #61431 to be considered for backport to the next 1.20 minor release.
The text was updated successfully, but these errors were encountered: