qbit/go
1
0
Fork 0
mirror of https://github.com/golang/go synced 2024-09-30 13:18:34 -06:00
Code Releases Activity

net/http: permit incoming CONNECT requests without Host headers

Browse Source 
Apparently they exist in the wild. See:
https://github.com/golang/go/issues/18215#issuecomment-301182496
(Facebook / iOS)

Fixes #18215

Change-Id: I9ddad3896b5d784cb3f5b3ee9c6819081a4a2702
Reviewed-on: https://go-review.googlesource.com/44004
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Matt Layher <mdlayher@gmail.com>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
This commit is contained in:
Brad Fitzpatrick 2017-05-23 23:42:47 +00:00
parent a5083bbf07
commit 88a235042d
2 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
src/net/http/serve_test.go
View File

@ -4358,6 +4358,9 @@ func TestServerValidatesHostHeader(t *testing.T) {
// Make an exception for HTTP upgrade requests: // Make an exception for HTTP upgrade requests:
{"PRI * HTTP/2.0", "", 200}, {"PRI * HTTP/2.0", "", 200},
// Also an exception for CONNECT requests: (Issue 18215)
{"CONNECT golang.org:443 HTTP/1.1", "", 200},
// But not other HTTP/2 stuff: // But not other HTTP/2 stuff:
{"PRI / HTTP/2.0", "", 400}, {"PRI / HTTP/2.0", "", 400},
{"GET / HTTP/2.0", "", 400}, {"GET / HTTP/2.0", "", 400},

2
src/net/http/server.go
View File

@ -943,7 +943,7 @@ func (c *conn) readRequest(ctx context.Context) (w *response, err error) {
hosts, haveHost := req.Header["Host"] hosts, haveHost := req.Header["Host"]
isH2Upgrade := req.isH2Upgrade() isH2Upgrade := req.isH2Upgrade()
if req.ProtoAtLeast(1, 1) && (!haveHost || len(hosts) == 0) && !isH2Upgrade { if req.ProtoAtLeast(1, 1) && (!haveHost || len(hosts) == 0) && !isH2Upgrade && req.Method != "CONNECT" {
return nil, badRequestError("missing required Host header") return nil, badRequestError("missing required Host header")
} }
if len(hosts) > 1 { if len(hosts) > 1 {