[NET-4897] net/http host header is now verified and request.host that contains socked now error#18129
Merged
[NET-4897] net/http host header is now verified and request.host that contains socked now error#18129
Conversation
…20.6 introduces an invalid host header error
…-unit.yml. pin the 1.20 api tests to use 1.20.5
…s just testing 1.20
…hen the go-version input is supplied.
github-actions
bot
added
theme/api
jmurret
added
pr/no-changelog
jmurret
requested review from
cthain,
dhiaayachi,
kisunji,
mkeeler,
nfi-hashicorp and
rboyer
dhiaayachi
approved these changes
Jul 14, 2023
Contributor
dhiaayachi
left a comment
dhiaayachi
left a comment
There was a problem hiding this comment.
Thank you @jmurret !
I left a comment about the go version change, other than that LGTM!
mkeeler
approved these changes
Jul 14, 2023
Member
mkeeler
left a comment
mkeeler
left a comment
There was a problem hiding this comment.
This PR seems fine as a mitigation for the Go team breaking functionality.
Is the Go team expected to fix this in the future release. It seems like the net/http code that is handling the host header knows about the URLs scheme for the request and could more intelligently handle host headers that look like unix sockets or pipes.
kisunji
reviewed
Jul 14, 2023
| } | ||
|
|
||
| if strings.HasPrefix(r.url.Host, "/") { | ||
| r.url.Host = "localhost" |
Collaborator
There was a problem hiding this comment.
There was a problem hiding this comment.
So . or - may be accepted (see moby/moby#45942 (review)), but yeah, empty would've been most transparent.
nfi-hashicorp
approved these changes
Jul 14, 2023
Collaborator
nfi-hashicorp
left a comment
nfi-hashicorp
left a comment
There was a problem hiding this comment.
Some nits, but good enough to 🚢
Member
Author
This is fixed in 19634a4 |
kisunji
approved these changes
Jul 14, 2023
This was referenced Jul 14, 2023
jmurret
added a commit
that referenced
this pull request
Jul 14, 2023
… contains socked now error (#18129) ### Description This is related to #18124 where we pinned the go versions in CI to 1.20.5 and 1.19.10. go 1.20.6 and 1.19.11 now validate request host headers for validity, including the hostname cannot be prefixed with slashes. For local communications (npipe://, unix://), the hostname is not used, but we need valid and meaningful hostname. Prior versions go Go would clean the host header, and strip slashes in the process, but go1.20.6 and go1.19.11 no longer do, and reject the host header. Around the community we are seeing that others are intercepting the req.host and if it starts with a slash or ends with .sock, they changing the host to localhost or another dummy value. [client: define a "dummy" hostname to use for local connections by thaJeztah · Pull Request #45942 · moby/moby](moby/moby#45942) ### Testing & Reproduction steps Check CI tests. ### Links * [ ] updated test coverage * [ ] external facing docs updated * [ ] appropriate backport labels added * [ ] not a security concern
jmurret
added a commit
that referenced
this pull request
Jul 14, 2023
… contains socked now error (#18129) ### Description This is related to #18124 where we pinned the go versions in CI to 1.20.5 and 1.19.10. go 1.20.6 and 1.19.11 now validate request host headers for validity, including the hostname cannot be prefixed with slashes. For local communications (npipe://, unix://), the hostname is not used, but we need valid and meaningful hostname. Prior versions go Go would clean the host header, and strip slashes in the process, but go1.20.6 and go1.19.11 no longer do, and reject the host header. Around the community we are seeing that others are intercepting the req.host and if it starts with a slash or ends with .sock, they changing the host to localhost or another dummy value. [client: define a "dummy" hostname to use for local connections by thaJeztah · Pull Request #45942 · moby/moby](moby/moby#45942) ### Testing & Reproduction steps Check CI tests. ### Links * [ ] updated test coverage * [ ] external facing docs updated * [ ] appropriate backport labels added * [ ] not a security concern
jmurret
added a commit
that referenced
this pull request
Jul 14, 2023
… contains socked now error (#18129) ### Description This is related to #18124 where we pinned the go versions in CI to 1.20.5 and 1.19.10. go 1.20.6 and 1.19.11 now validate request host headers for validity, including the hostname cannot be prefixed with slashes. For local communications (npipe://, unix://), the hostname is not used, but we need valid and meaningful hostname. Prior versions go Go would clean the host header, and strip slashes in the process, but go1.20.6 and go1.19.11 no longer do, and reject the host header. Around the community we are seeing that others are intercepting the req.host and if it starts with a slash or ends with .sock, they changing the host to localhost or another dummy value. [client: define a "dummy" hostname to use for local connections by thaJeztah · Pull Request #45942 · moby/moby](moby/moby#45942) ### Testing & Reproduction steps Check CI tests. ### Links * [ ] updated test coverage * [ ] external facing docs updated * [ ] appropriate backport labels added * [ ] not a security concern
jmurret
added a commit
that referenced
this pull request
Jul 14, 2023
…st.host that contains socked now error into release/1.13.x (#18142) ## Backport This PR is auto-generated from #18129 to be assessed for backporting due to the inclusion of the label backport/1.13. :rotating_light: >**Warning** automatic cherry-pick of commits failed. If the first commit failed, you will see a blank no-op commit below. If at least one commit succeeded, you will see the cherry-picked commits up to, _not including_, the commit where the merge conflict occurred. The person who merged in the original PR is: @jmurret This person should manually cherry-pick the original PR into a new backport PR, and close this one when the manual backport PR is merged in. > merge conflict error: POST https://api.github.com/repos/hashicorp/consul/merges: 409 Merge conflict [] The below text is copied from the body of the original PR. --- ### Description This is related to #18124 where we pinned the go versions in CI to 1.20.5 and 1.19.10. go 1.20.6 and 1.19.11 now validate request host headers for validity, including the hostname cannot be prefixed with slashes. For local communications (npipe://, unix://), the hostname is not used, but we need valid and meaningful hostname. Prior versions go Go would clean the host header, and strip slashes in the process, but go1.20.6 and go1.19.11 no longer do, and reject the host header. Around the community we are seeing that others are intercepting the req.host and if it starts with a slash or ends with .sock, they changing the host to localhost or another dummy value. [client: define a "dummy" hostname to use for local connections by thaJeztah · Pull Request #45942 · moby/moby](moby/moby#45942) ### Testing & Reproduction steps Check CI tests. ### Links * [ ] updated test coverage * [ ] external facing docs updated * [ ] appropriate backport labels added * [ ] not a security concern --- <details> <summary> Overview of commits </summary> - 747195f - 5164924 - f4d6ca1 - a474071 - 8c03b36 - c50b17c - cc8eaf8 - ce10138 - 133c7ec - b0bd440 - 8f22308 - f8578b0 - 4452224 - 19634a4 </details> --------- Co-authored-by: temp <[email protected]> Co-authored-by: John Murret <[email protected]>
jmurret
added a commit
that referenced
this pull request
Jul 17, 2023
… contains socked now error (#18129) ### Description This is related to #18124 where we pinned the go versions in CI to 1.20.5 and 1.19.10. go 1.20.6 and 1.19.11 now validate request host headers for validity, including the hostname cannot be prefixed with slashes. For local communications (npipe://, unix://), the hostname is not used, but we need valid and meaningful hostname. Prior versions go Go would clean the host header, and strip slashes in the process, but go1.20.6 and go1.19.11 no longer do, and reject the host header. Around the community we are seeing that others are intercepting the req.host and if it starts with a slash or ends with .sock, they changing the host to localhost or another dummy value. [client: define a "dummy" hostname to use for local connections by thaJeztah · Pull Request #45942 · moby/moby](moby/moby#45942) ### Testing & Reproduction steps Check CI tests. ### Links * [ ] updated test coverage * [ ] external facing docs updated * [ ] appropriate backport labels added * [ ] not a security concern
jmurret
added a commit
that referenced
this pull request
Jul 17, 2023
…st.host that contains socked now error into release/1.15.x (#18144) ## Backport This PR is auto-generated from #18129 to be assessed for backporting due to the inclusion of the label backport/1.15. :rotating_light: >**Warning** automatic cherry-pick of commits failed. If the first commit failed, you will see a blank no-op commit below. If at least one commit succeeded, you will see the cherry-picked commits up to, _not including_, the commit where the merge conflict occurred. The person who merged in the original PR is: @jmurret This person should manually cherry-pick the original PR into a new backport PR, and close this one when the manual backport PR is merged in. > merge conflict error: POST https://api.github.com/repos/hashicorp/consul/merges: 409 Merge conflict [] The below text is copied from the body of the original PR. --- ### Description This is related to #18124 where we pinned the go versions in CI to 1.20.5 and 1.19.10. go 1.20.6 and 1.19.11 now validate request host headers for validity, including the hostname cannot be prefixed with slashes. For local communications (npipe://, unix://), the hostname is not used, but we need valid and meaningful hostname. Prior versions go Go would clean the host header, and strip slashes in the process, but go1.20.6 and go1.19.11 no longer do, and reject the host header. Around the community we are seeing that others are intercepting the req.host and if it starts with a slash or ends with .sock, they changing the host to localhost or another dummy value. [client: define a "dummy" hostname to use for local connections by thaJeztah · Pull Request #45942 · moby/moby](moby/moby#45942) ### Testing & Reproduction steps Check CI tests. ### Links * [ ] updated test coverage * [ ] external facing docs updated * [ ] appropriate backport labels added * [ ] not a security concern --- <details> <summary> Overview of commits </summary> - 747195f - 5164924 - f4d6ca1 - a474071 - 8c03b36 - c50b17c - cc8eaf8 - ce10138 - 133c7ec - b0bd440 - 8f22308 - f8578b0 - 4452224 - 19634a4 </details> --------- Co-authored-by: temp <[email protected]> Co-authored-by: John Murret <[email protected]>
jmurret
added a commit
that referenced
this pull request
Jul 17, 2023
…st.host that contains socked now error into release/1.14.x (#18143) ## Backport This PR is auto-generated from #18129 to be assessed for backporting due to the inclusion of the label backport/1.14. :rotating_light: >**Warning** automatic cherry-pick of commits failed. If the first commit failed, you will see a blank no-op commit below. If at least one commit succeeded, you will see the cherry-picked commits up to, _not including_, the commit where the merge conflict occurred. The person who merged in the original PR is: @jmurret This person should manually cherry-pick the original PR into a new backport PR, and close this one when the manual backport PR is merged in. > merge conflict error: POST https://api.github.com/repos/hashicorp/consul/merges: 409 Merge conflict [] The below text is copied from the body of the original PR. --- ### Description This is related to #18124 where we pinned the go versions in CI to 1.20.5 and 1.19.10. go 1.20.6 and 1.19.11 now validate request host headers for validity, including the hostname cannot be prefixed with slashes. For local communications (npipe://, unix://), the hostname is not used, but we need valid and meaningful hostname. Prior versions go Go would clean the host header, and strip slashes in the process, but go1.20.6 and go1.19.11 no longer do, and reject the host header. Around the community we are seeing that others are intercepting the req.host and if it starts with a slash or ends with .sock, they changing the host to localhost or another dummy value. [client: define a "dummy" hostname to use for local connections by thaJeztah · Pull Request #45942 · moby/moby](moby/moby#45942) ### Testing & Reproduction steps Check CI tests. ### Links * [ ] updated test coverage * [ ] external facing docs updated * [ ] appropriate backport labels added * [ ] not a security concern --- <details> <summary> Overview of commits </summary> - 747195f - 5164924 - f4d6ca1 - a474071 - 8c03b36 - c50b17c - cc8eaf8 - ce10138 - 133c7ec - b0bd440 - 8f22308 - f8578b0 - 4452224 - 19634a4 </details> --------- Co-authored-by: temp <[email protected]> Co-authored-by: John Murret <[email protected]>
jmurret
added a commit
that referenced
this pull request
Jul 17, 2023
…st.host that contains socked now error into release/1.16.x (#18145) * no-op commit due to failed cherry-picking * [NET-4897] net/http host header is now verified and request.host that contains socked now error (#18129) ### Description This is related to #18124 where we pinned the go versions in CI to 1.20.5 and 1.19.10. go 1.20.6 and 1.19.11 now validate request host headers for validity, including the hostname cannot be prefixed with slashes. For local communications (npipe://, unix://), the hostname is not used, but we need valid and meaningful hostname. Prior versions go Go would clean the host header, and strip slashes in the process, but go1.20.6 and go1.19.11 no longer do, and reject the host header. Around the community we are seeing that others are intercepting the req.host and if it starts with a slash or ends with .sock, they changing the host to localhost or another dummy value. [client: define a "dummy" hostname to use for local connections by thaJeztah · Pull Request #45942 · moby/moby](moby/moby#45942) ### Testing & Reproduction steps Check CI tests. ### Links * [ ] updated test coverage * [ ] external facing docs updated * [ ] appropriate backport labels added * [ ] not a security concern --------- Co-authored-by: temp <[email protected]> Co-authored-by: John Murret <[email protected]>
Description
This is related to #18124 where we pinned the go versions in CI to 1.20.5 and 1.19.10.
go 1.20.6 and 1.19.11 now validate request host headers for validity, including the hostname cannot be prefixed with slashes.
For local communications (npipe://, unix://), the hostname is not used, but we need valid and meaningful hostname. Prior versions go Go would clean the host header, and strip slashes in the process, but go1.20.6 and go1.19.11 no longer do, and reject the host header. Around the community we are seeing that others are intercepting the req.host and if it starts with a slash or ends with .sock, they changing the host to localhost or another dummy value.
client: define a "dummy" hostname to use for local connections by thaJeztah · Pull Request #45942 · moby/moby
Testing & Reproduction steps
Check CI tests.
Links