From fcf8d4b3ff068b165cc4a0441f244a0b362d064f Mon Sep 17 00:00:00 2001 From: Marten Seemann Date: Tue, 11 Jul 2023 23:27:24 -0700 Subject: [PATCH] http3: validate Host header before sending (#3948) --- http3/request_writer.go | 4 ++++ http3/request_writer_test.go | 7 +++++++ 2 files changed, 11 insertions(+) diff --git a/http3/request_writer.go b/http3/request_writer.go index fcff6a1f..875f4031 100644 --- a/http3/request_writer.go +++ b/http3/request_writer.go @@ -2,6 +2,7 @@ package http3 import ( "bytes" + "errors" "fmt" "io" "net" @@ -81,6 +82,9 @@ func (w *requestWriter) encodeHeaders(req *http.Request, addGzipHeader bool, tra if err != nil { return err } + if !httpguts.ValidHostHeader(host) { + return errors.New("http3: invalid Host header") + } // http.NewRequest sets this field to HTTP/1.1 isExtendedConnect := req.Method == http.MethodConnect && req.Proto != "" && req.Proto != "HTTP/1.1" diff --git a/http3/request_writer_test.go b/http3/request_writer_test.go index c10e3457..74fd2398 100644 --- a/http3/request_writer_test.go +++ b/http3/request_writer_test.go @@ -59,6 +59,13 @@ var _ = Describe("Request Writer", func() { Expect(headerFields).ToNot(HaveKey("accept-encoding")) }) + It("rejects invalid host headers", func() { + req, err := http.NewRequest(http.MethodGet, "https://quic.clemente.io/index.html?foo=bar", nil) + Expect(err).ToNot(HaveOccurred()) + req.Host = "foo@bar" // @ is invalid + Expect(rw.WriteRequestHeader(str, req, false)).To(MatchError("http3: invalid Host header")) + }) + It("sends cookies", func() { req, err := http.NewRequest(http.MethodGet, "https://quic.clemente.io/", nil) Expect(err).ToNot(HaveOccurred())