net/http: document that Handlers are resposible for validating Host headers

Fixes #23993 Change-Id: I112415c894e8c680bfc17d53772275430e46794b Reviewed-on: https://go-review.googlesource.com/115116Reviewed-by: Tim Cooper <tim.cooper@layeh.com> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>

net/http: document that Handlers are resposible for validating Host headers
Fixes #23993 Change-Id: I112415c894e8c680bfc17d53772275430e46794b Reviewed-on: https://go-review.googlesource.com/115116Reviewed-by: Tim Cooper <tim.cooper@layeh.com> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
ad7320ac · Brad Fitzpatrick · 594eae5a · ad7320ac
Commit ad7320ac authored May 29, 2018 by Brad Fitzpatrick
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 0 deletions

request.go src/net/http/request.go +5 -0

No files found.
--- a/src/net/http/request.go
+++ b/src/net/http/request.go
@@ -214,6 +214,11 @@ type Request struct {
 	// names, Host may be in Punycode or Unicode form. Use
 	// golang.org/x/net/idna to convert it to either format if
 	// needed.
+	// To prevent DNS rebinding attacks, server Handlers should
+	// validate that the Host header has a value for which the
+	// Handler considers itself authoritative. The included
+	// ServeMux supports patterns registered to particular host
+	// names and thus protects its registered Handlers.
 	//
 	// For client requests Host optionally overrides the Host
 	// header to send. If empty, the Request.Write method uses