Skip to content

Commit

Permalink
chore: update to go1.20.8 (#47)
Browse files Browse the repository at this point in the history
  • Loading branch information
bassosimone authored Oct 4, 2023
2 parents a23fe43 + 56b9280 commit dbb36a6
Show file tree
Hide file tree
Showing 6 changed files with 42 additions and 14 deletions.
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -248,7 +248,7 @@ the `Request` and `Response` fields;

- [ ] commit the changes and push `merged-main` to gitub;

- [ ] open a PR and merge it *using a merge commit*;
- [ ] open a PR using this check-list as part of the PR text and merge it *using a merge commit*;

- [ ] create a new working branch to update the examples;

Expand Down
2 changes: 1 addition & 1 deletion UPSTREAM
Original file line number Diff line number Diff line change
@@ -1 +1 @@
go1.20.6
go1.20.8
4 changes: 2 additions & 2 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,6 @@ module github.com/ooni/oohttp

go 1.20

require golang.org/x/net v0.12.0
require golang.org/x/net v0.15.0

require golang.org/x/text v0.11.0 // indirect
require golang.org/x/text v0.13.0 // indirect
8 changes: 4 additions & 4 deletions go.sum
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
golang.org/x/net v0.12.0 h1:cfawfvKITfUsFCeJIHJrbSxpeu/E81khclypR0GVT50=
golang.org/x/net v0.12.0/go.mod h1:zEVYFnQC7m/vmpQFELhcD1EWkZlX69l4oqgmer6hfKA=
golang.org/x/text v0.11.0 h1:LAntKIrcmeSKERyiOh0XMV39LXS8IE9UL2yP7+f5ij4=
golang.org/x/text v0.11.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
golang.org/x/net v0.15.0 h1:ugBLEUaxABaB5AJqW9enI0ACdci2RUd4eP51NTBvuJ8=
golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k=
golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
23 changes: 22 additions & 1 deletion request.go
Original file line number Diff line number Diff line change
Expand Up @@ -586,8 +586,29 @@ func (r *Request) write(w io.Writer, usingProxy bool, extraHeaders Header, waitF
if err != nil {
return err
}
// Validate that the Host header is a valid header in general,
// but don't validate the host itself. This is sufficient to avoid
// header or request smuggling via the Host field.
// The server can (and will, if it's a net/http server) reject
// the request if it doesn't consider the host valid.
if !httpguts.ValidHostHeader(host) {
return errors.New("http: invalid Host header")
// Historically, we would truncate the Host header after '/' or ' '.
// Some users have relied on this truncation to convert a network
// address such as Unix domain socket path into a valid, ignored
// Host header (see https://go.dev/issue/61431).
//
// We don't preserve the truncation, because sending an altered
// header field opens a smuggling vector. Instead, zero out the
// Host header entirely if it isn't valid. (An empty Host is valid;
// see RFC 9112 Section 3.2.)
//
// Return an error if we're sending to a proxy, since the proxy
// probably can't do anything useful with an empty Host header.
if !usingProxy {
host = ""
} else {
return errors.New("http: invalid Host header")
}
}

// According to RFC 6874, an HTTP client, proxy, or other
Expand Down
17 changes: 12 additions & 5 deletions request_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -767,16 +767,23 @@ func TestRequestWriteBufferedWriter(t *testing.T) {
}
}

func TestRequestBadHost(t *testing.T) {
func TestRequestBadHostHeader(t *testing.T) {
got := []string{}
req, err := NewRequest("GET", "http://foo/after", nil)
if err != nil {
t.Fatal(err)
}
req.Host = "foo.com with spaces"
req.URL.Host = "foo.com with spaces"
if err := req.Write(logWrites{t, &got}); err == nil {
t.Errorf("Writing request with invalid Host: succeded, want error")
req.Host = "foo.com\nnewline"
req.URL.Host = "foo.com\nnewline"
req.Write(logWrites{t, &got})
want := []string{
"GET /after HTTP/1.1\r\n",
"Host: \r\n",
"User-Agent: " + DefaultUserAgent + "\r\n",
"\r\n",
}
if !reflect.DeepEqual(got, want) {
t.Errorf("Writes = %q\n Want = %q", got, want)
}
}

Expand Down

0 comments on commit dbb36a6

Please sign in to comment.