[net] http2: validate Host header before sending

Damien Neil (Gerrit)

unread,

Jun 28, 2023, 4:24:47 PM6/28/23

to goph...@pubsubhelper.golang.org, Tatiana Bradley, Gopher Robot, golang-co...@googlegroups.com

Attention is currently required from: Tatiana Bradley.

View Change

To view, visit change 506995. To unsubscribe, or for help writing mail filters, visit settings.

Tatiana Bradley (Gerrit)

unread,

Jun 29, 2023, 11:42:18 AM6/29/23

to Damien Neil, goph...@pubsubhelper.golang.org, Gopher Robot, golang-co...@googlegroups.com

Attention is currently required from: Damien Neil.

Patch set 2:Code-Review +2

View Change

To view, visit change 506995. To unsubscribe, or for help writing mail filters, visit settings.

Damien Neil (Gerrit)

unread,

Jun 29, 2023, 1:00:20 PM6/29/23

to goph...@pubsubhelper.golang.org, golang-...@googlegroups.com, Tatiana Bradley, Gopher Robot, golang-co...@googlegroups.com

Damien Neil submitted this change.

View Change

Approvals:
  Tatiana Bradley: Looks good to me, approved
  Damien Neil: Run TryBots
  Gopher Robot: TryBots succeeded

http2: validate Host header before sending

Verify that the Host header we send is valid.
Avoids sending a request that the server will reject,
possibly sending us into a retry loop.

No test in this CL, but this will be covered by the net/http
test added in CL 506996.

For golang/go#60374

Change-Id: I78867eb05293ad8ca1b02bc22fb626760949d4b8
Reviewed-on: https://go-review.googlesource.com/c/net/+/506995
TryBot-Result: Gopher Robot <go...@golang.org>
Run-TryBot: Damien Neil <dn...@google.com>
Reviewed-by: Tatiana Bradley <tatiana...@google.com>
---
M http2/transport.go
1 file changed, 3 insertions(+), 0 deletions(-)

diff --git a/http2/transport.go b/http2/transport.go
index 4f08ccb..da53e83 100644
--- a/http2/transport.go
+++ b/http2/transport.go
@@ -1880,6 +1880,9 @@
 	if err != nil {
 		return nil, err
 	}
+	if !httpguts.ValidHostHeader(host) {
+		return nil, errors.New("http2: invalid Host header")
+	}
 
 	var path string
 	if req.Method != "CONNECT" {

To view, visit change 506995. To unsubscribe, or for help writing mail filters, visit settings.

Tatiana Bradley (Gerrit)

unread,

Jul 5, 2023, 4:52:13 PM7/5/23

to goph...@pubsubhelper.golang.org, Damien Neil, golang-co...@googlegroups.com

Tatiana Bradley has uploaded this change for review.

View Change

http2: validate Host header before sending

Verify that the Host header we send is valid.
Avoids sending a request that the server will reject,
possibly sending us into a retry loop.

No test in this CL, but this will be covered by the net/http
test added in CL 506996.

For golang/go#60374

For golang/go#61076



Change-Id: I78867eb05293ad8ca1b02bc22fb626760949d4b8
Reviewed-on: https://go-review.googlesource.com/c/net/+/506995
TryBot-Result: Gopher Robot <go...@golang.org>
Run-TryBot: Damien Neil <dn...@google.com>
Reviewed-by: Tatiana Bradley <tatiana...@google.com>

(cherry picked from commit 63727cc58253c59c71cf8491bb4d7448990d63b8)


---
M http2/transport.go
1 file changed, 3 insertions(+), 0 deletions(-)

diff --git a/http2/transport.go b/http2/transport.go
index 4ded4df..52dbc99 100644
--- a/http2/transport.go
+++ b/http2/transport.go
@@ -1743,6 +1743,9 @@


 	if err != nil {
 		return nil, err
 	}
+	if !httpguts.ValidHostHeader(host) {
+		return nil, errors.New("http2: invalid Host header")
+	}
 
 	var path string
 	if req.Method != "CONNECT" {

To view, visit change 507905. To unsubscribe, or for help writing mail filters, visit settings.

Tatiana Bradley (Gerrit)

unread,

Jul 5, 2023, 4:52:59 PM7/5/23

to goph...@pubsubhelper.golang.org, Damien Neil, golang-co...@googlegroups.com

Tatiana Bradley has uploaded this change for review.

View Change

http2: validate Host header before sending

Verify that the Host header we send is valid.
Avoids sending a request that the server will reject,
possibly sending us into a retry loop.

No test in this CL, but this will be covered by the net/http
test added in CL 506996.

For golang/go#60374

For golang/go##61076



Change-Id: I78867eb05293ad8ca1b02bc22fb626760949d4b8
Reviewed-on: https://go-review.googlesource.com/c/net/+/506995
TryBot-Result: Gopher Robot <go...@golang.org>
Run-TryBot: Damien Neil <dn...@google.com>
Reviewed-by: Tatiana Bradley <tatiana...@google.com>
(cherry picked from commit 63727cc58253c59c71cf8491bb4d7448990d63b8)
---
M http2/transport.go
1 file changed, 3 insertions(+), 0 deletions(-)

diff --git a/http2/transport.go b/http2/transport.go
index 30f706e..65d3b35 100644
--- a/http2/transport.go
+++ b/http2/transport.go
@@ -1848,6 +1848,9 @@


 	if err != nil {
 		return nil, err
 	}
+	if !httpguts.ValidHostHeader(host) {
+		return nil, errors.New("http2: invalid Host header")
+	}
 
 	var path string
 	if req.Method != "CONNECT" {

To view, visit change 507906. To unsubscribe, or for help writing mail filters, visit settings.

Tatiana Bradley (Gerrit)

unread,

Jul 5, 2023, 4:53:10 PM7/5/23

to Damien Neil, goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com

Tatiana Bradley uploaded patch set #2 to this change.

View Change

http2: validate Host header before sending

Verify that the Host header we send is valid.
Avoids sending a request that the server will reject,
possibly sending us into a retry loop.

No test in this CL, but this will be covered by the net/http
test added in CL 506996.

For golang/go#60374

For golang/go#61076



Change-Id: I78867eb05293ad8ca1b02bc22fb626760949d4b8
Reviewed-on: https://go-review.googlesource.com/c/net/+/506995
TryBot-Result: Gopher Robot <go...@golang.org>
Run-TryBot: Damien Neil <dn...@google.com>
Reviewed-by: Tatiana Bradley <tatiana...@google.com>
(cherry picked from commit 63727cc58253c59c71cf8491bb4d7448990d63b8)
---
M http2/transport.go
1 file changed, 3 insertions(+), 0 deletions(-)

To view, visit change 507906. To unsubscribe, or for help writing mail filters, visit settings.

Tatiana Bradley (Gerrit)

unread,

Jul 5, 2023, 4:53:33 PM7/5/23

to Damien Neil, goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com

Tatiana Bradley uploaded patch set #2 to this change.

View Change

http2: validate Host header before sending

Verify that the Host header we send is valid.
Avoids sending a request that the server will reject,
possibly sending us into a retry loop.

No test in this CL, but this will be covered by the net/http
test added in CL 506996.

For golang/go#60374

For golang/go#61075



Change-Id: I78867eb05293ad8ca1b02bc22fb626760949d4b8
Reviewed-on: https://go-review.googlesource.com/c/net/+/506995
TryBot-Result: Gopher Robot <go...@golang.org>
Run-TryBot: Damien Neil <dn...@google.com>
Reviewed-by: Tatiana Bradley <tatiana...@google.com>
(cherry picked from commit 63727cc58253c59c71cf8491bb4d7448990d63b8)
---
M http2/transport.go
1 file changed, 3 insertions(+), 0 deletions(-)

To view, visit change 507905. To unsubscribe, or for help writing mail filters, visit settings.

Tatiana Bradley (Gerrit)

unread,

Jul 5, 2023, 4:56:16 PM7/5/23

to Damien Neil, goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com

Tatiana Bradley abandoned this change.

View Change

Abandoned

To view, visit change 507906. To unsubscribe, or for help writing mail filters, visit settings.

Tatiana Bradley (Gerrit)

unread,

Jul 5, 2023, 4:56:24 PM7/5/23

to Damien Neil, goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com

Tatiana Bradley abandoned this change.

View Change

Abandoned

To view, visit change 507905. To unsubscribe, or for help writing mail filters, visit settings.

Reply all

Reply to author

Forward