go: net/http: insufficient sanitization of Host header

The net/http client does not sufficiently sanitize or check the validity of the Request.Host field. A maliciously-crafted Host field can inject request headers or entire new requests into the sent request. For example, setting Request.Host to "hostname\r\nX-Header: oops" adds an X-Header: oops header to the request.

Whether this is a vulnerability or just a bug depends on whether the Request.Host field is expected to be secured against untrusted inputs. We don’t document this one way or the other. Exploiting this in practice seems difficult, since it requires requests to be sent using an unsanitized and untrusted Request.Host value, so if this is a vulnerability it seems reasonable to treat it as PUBLIC track. Either way, we should fix it.

This is a continuation of #11206, which reports the same issue but had an incomplete fix.

Thanks to @bartekn for reporting this issue.

About this issue

Original URL
State: closed
Created a year ago
Reactions: 7
Comments: 23 (6 by maintainers)

Commits related to this issue

http2: validate Host header before sending Verify that the Host header we send is valid. Avoids sending a request that the server will reject, possibly sending us into a retry loop. No test in this ... — committed to golang/net by neild a year ago
net/http: validate Host header before sending Verify that the Host header we send is valid. Avoids surprising behavior such as a Host of "go.dev\r\nX-Evil:oops" adding an X-Evil header to HTTP/1 requ... — committed to golang/go by neild a year ago
[release-branch.go1.19] net/http: validate Host header before sending Verify that the Host header we send is valid. Avoids surprising behavior such as a Host of "go.dev\r\nX-Evil:oops" adding an X-Ev... — committed to golang/go by neild a year ago
[release-branch.go1.20] net/http: validate Host header before sending Verify that the Host header we send is valid. Avoids surprising behavior such as a Host of "go.dev\r\nX-Evil:oops" adding an X-Ev... — committed to golang/go by neild a year ago
docker: patch host header In the latest Go version, the net/http client will validate Host header stricter and will fail if it contains invalid characters. For more info, see: - https://github.com/g... — committed to buildbuddy-io/buildbuddy by sluongng a year ago
net/http: validate Host header before sending Verify that the Host header we send is valid. Avoids surprising behavior such as a Host of "go.dev\r\nX-Evil:oops" adding an X-Evil header to HTTP/1 requ... — committed to tailscale/go by neild a year ago
package/docker-engine: backport fix for host header check Go 1.20.6 and 1.19.11 include a security check of the http Host header: https://github.com/golang/go/issues/60374 docker-cli does not sat... — committed to skiffos/buildroot by paralin a year ago
package/docker-cli: backport fix for host header check Go 1.20.6 and 1.19.11 include a security check of the http Host header: https://github.com/golang/go/issues/60374 docker-cli does not satisf... — committed to skiffos/buildroot by paralin a year ago
package/docker-cli: backport fix for host header check Go 1.20.6 and 1.19.11 include a security check of the http Host header: https://github.com/golang/go/issues/60374 docker-cli does not satisf... — committed to skiffos/buildroot by paralin a year ago
package/docker-engine: backport fix for host header check Go 1.20.6 and 1.19.11 include a security check of the http Host header: https://github.com/golang/go/issues/60374 docker-cli does not sat... — committed to skiffos/buildroot by paralin a year ago
package/docker-cli: backport fix for host header check Go 1.20.6 and 1.19.11 include a security check of the http Host header: https://github.com/golang/go/issues/60374 docker-cli does not satisf... — committed to skiffos/buildroot by paralin a year ago
package/docker-engine: backport fix for host header check Go 1.20.6 and 1.19.11 include a security check of the http Host header: https://github.com/golang/go/issues/60374 docker-cli does not sat... — committed to skiffos/buildroot by paralin a year ago
package/docker-cli: backport fix for host header check Go 1.20.6 and 1.19.11 include a security check of the http Host header: https://github.com/golang/go/issues/60374 docker-cli does not satisf... — committed to skiffos/buildroot by paralin a year ago
package/docker-engine: backport fix for host header check Go 1.20.6 and 1.19.11 include a security check of the http Host header: https://github.com/golang/go/issues/60374 docker-cli does not sat... — committed to skiffos/buildroot by paralin a year ago
package/docker-cli: backport fix for host header check Go 1.20.6 and 1.19.11 include a security check of the http Host header: https://github.com/golang/go/issues/60374 docker-cli does not satisf... — committed to skiffos/buildroot by paralin a year ago
package/docker-engine: backport fix for host header check Go 1.20.6 and 1.19.11 include a security check of the http Host header: https://github.com/golang/go/issues/60374 docker-cli does not sat... — committed to skiffos/buildroot by paralin a year ago
package/docker-cli: backport fix for host header check Go 1.20.6 and 1.19.11 include a security check of the http Host header: https://github.com/golang/go/issues/60374 docker-cli does not satisf... — committed to skiffos/buildroot by paralin a year ago
package/docker-engine: backport fix for host header check Go 1.20.6 and 1.19.11 include a security check of the http Host header: https://github.com/golang/go/issues/60374 docker-cli does not sat... — committed to skiffos/buildroot by paralin a year ago
package/docker-cli: backport fix for host header check Go 1.20.6 and 1.19.11 include a security check of the http Host header: https://github.com/golang/go/issues/60374 docker-cli does not satisf... — committed to skiffos/buildroot by paralin a year ago
package/docker-engine: backport fix for host header check Go 1.20.6 and 1.19.11 include a security check of the http Host header: https://github.com/golang/go/issues/60374 docker-cli does not sat... — committed to skiffos/buildroot by paralin a year ago

Most upvoted comments

Have to agree with @andresvia here. This essentially broke everything using docker. In a patch version update as well.

ChristianSch on Jul 17, 2023

Thank you for this change. This does cause an issue for unix sockets that have hostnames starting with a slash. I think we are seeing the community that uses sockets now have to react to this change and put in conditional logic to check their host and if it begins with a slash or ends with .sock change the host name to something like localhost. Is it possible to have this baked into net/http host header validation?

@jmurret I will dare to say that the security fix went too hard and broke a feature which many of us relied on and now there’s really no right (clean) way to proceed, if the validation gets baked, workarounds will need to remain because there will be always people running some go release which doesn’t have the thing baked. I’m sorry I know I’m not really commenting anything useful, I’ll just move on with my life 😄 and let you guys think about what you just did.

andresvia on Jul 14, 2023

Thank you for this change. This does cause an issue for unix sockets that have hostnames starting with a slash. I think we are seeing the community that uses sockets now have to react to this change and put in conditional logic to check their host and if it begins with a slash or ends with .sock change the host name to something like localhost. Is it possible to have this baked into net/http host header validation?

jmurret on Jul 14, 2023

Only thing left to resolve is the backports, so I think we can close this one.

neild on Jul 7, 2023