mirror of
https://github.com/golang/go
synced 2024-09-30 11:08:36 -06:00
net/http: permit incoming CONNECT requests without Host headers
Apparently they exist in the wild. See: https://github.com/golang/go/issues/18215#issuecomment-301182496 (Facebook / iOS) Fixes #18215 Change-Id: I9ddad3896b5d784cb3f5b3ee9c6819081a4a2702 Reviewed-on: https://go-review.googlesource.com/44004 Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Matt Layher <mdlayher@gmail.com> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
This commit is contained in:
parent
a5083bbf07
commit
88a235042d
@ -4358,6 +4358,9 @@ func TestServerValidatesHostHeader(t *testing.T) {
|
||||
// Make an exception for HTTP upgrade requests:
|
||||
{"PRI * HTTP/2.0", "", 200},
|
||||
|
||||
// Also an exception for CONNECT requests: (Issue 18215)
|
||||
{"CONNECT golang.org:443 HTTP/1.1", "", 200},
|
||||
|
||||
// But not other HTTP/2 stuff:
|
||||
{"PRI / HTTP/2.0", "", 400},
|
||||
{"GET / HTTP/2.0", "", 400},
|
||||
|
@ -943,7 +943,7 @@ func (c *conn) readRequest(ctx context.Context) (w *response, err error) {
|
||||
|
||||
hosts, haveHost := req.Header["Host"]
|
||||
isH2Upgrade := req.isH2Upgrade()
|
||||
if req.ProtoAtLeast(1, 1) && (!haveHost || len(hosts) == 0) && !isH2Upgrade {
|
||||
if req.ProtoAtLeast(1, 1) && (!haveHost || len(hosts) == 0) && !isH2Upgrade && req.Method != "CONNECT" {
|
||||
return nil, badRequestError("missing required Host header")
|
||||
}
|
||||
if len(hosts) > 1 {
|
||||
|
Loading…
Reference in New Issue
Block a user