Google Git
Sign in
go/net/63727cc58253c59c71cf8491bb4d7448990d63b8^!/.
commit
63727cc58253c59c71cf8491bb4d7448990d63b8
[log]
author
Damien Neil <dneil@google.com>
Wed Jun 28 13:18:36 2023 -0700
committer
Damien Neil <dneil@google.com>
Thu Jun 29 17:00:16 2023 +0000
tree
56bceeb2abf405bd4a41e80639b1c8ada8ffea22
parent
1bb09e6b1e6cbe43c5034c99133d866b60ea81fa [diff]
http2: validate Host header before sending

Verify that the Host header we send is valid.
Avoids sending a request that the server will reject,
possibly sending us into a retry loop.

No test in this CL, but this will be covered by the net/http
test added in CL 506996.

For golang/go#60374

Change-Id: I78867eb05293ad8ca1b02bc22fb626760949d4b8
Reviewed-on: https://go-review.googlesource.com/c/net/+/506995
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Damien Neil <dneil@google.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>

diff --git a/http2/transport.go b/http2/transport.go
index 4f08ccb..da53e83 100644
--- a/http2/transport.go
+++ b/http2/transport.go

@@ -1880,6 +1880,9 @@
 	if err != nil {
 		return nil, err
 	}
+	if !httpguts.ValidHostHeader(host) {
+		return nil, errors.New("http2: invalid Host header")
+	}
 
 	var path string
 	if req.Method != "CONNECT" {