From 007faac7bf4afec50e9f68415d654c206133df6e Mon Sep 17 00:00:00 2001
From: wanglimin <wanglimin@xfusion.com>
Date: Thu, 24 Aug 2023 18:17:26 +0800
Subject: [PATCH] permit requests with invalid Host headers

---
 ...t-requests-with-invalid-Host-headers.patch | 103 ++++++++++++++++++
 golang.spec                                   |   6 +-
 2 files changed, 108 insertions(+), 1 deletion(-)
 create mode 100644 0003-net-http-permit-requests-with-invalid-Host-headers.patch

diff --git a/0003-net-http-permit-requests-with-invalid-Host-headers.patch b/0003-net-http-permit-requests-with-invalid-Host-headers.patch
new file mode 100644
index 0000000..ca5d045
--- /dev/null
+++ b/0003-net-http-permit-requests-with-invalid-Host-headers.patch
@@ -0,0 +1,103 @@
+From b9153f6ef338baee5fe02a867c8fbc83a8b29dd1 Mon Sep 17 00:00:00 2001
+From: Damien Neil <dneil@google.com>
+Date: Wed, 19 Jul 2023 10:30:46 -0700
+Subject: [PATCH] net/http: permit requests with invalid Host headers
+
+Historically, the Transport has silently truncated invalid
+Host headers at the first '/' or ' ' character. CL 506996 changed
+this behavior to reject invalid Host headers entirely.
+Unfortunately, Docker appears to rely on the previous behavior.
+
+When sending a HTTP/1 request with an invalid Host, send an empty
+Host header. This is safer than truncation: If you care about the
+Host, then you should get the one you set; if you don't care,
+then an empty Host should be fine.
+
+Continue to fully validate Host headers sent to a proxy,
+since proxies generally can't productively forward requests
+without a Host.
+
+For #60374
+Fixes #61431
+
+Change-Id: If170c7dd860aa20eb58fe32990fc93af832742b6
+Reviewed-on: https://go-review.googlesource.com/c/go/+/511155
+TryBot-Result: Gopher Robot <gobot@golang.org>
+Reviewed-by: Roland Shoemaker <roland@golang.org>
+Run-TryBot: Damien Neil <dneil@google.com>
+---
+ src/net/http/request.go      | 23 ++++++++++++++++++++++-
+ src/net/http/request_test.go | 17 ++++++++++++-----
+ 2 files changed, 34 insertions(+), 6 deletions(-)
+
+diff --git a/src/net/http/request.go b/src/net/http/request.go
+index a2e8373dd5..d1fbd5df90 100644
+--- a/src/net/http/request.go
++++ b/src/net/http/request.go
+@@ -591,8 +591,29 @@ func (r *Request) write(w io.Writer, usingProxy bool, extraHeaders Header, waitF
+ 	if err != nil {
+ 		return err
+ 	}
++	// Validate that the Host header is a valid header in general,
++	// but don't validate the host itself. This is sufficient to avoid
++	// header or request smuggling via the Host field.
++	// The server can (and will, if it's a net/http server) reject
++	// the request if it doesn't consider the host valid.
+ 	if !httpguts.ValidHostHeader(host) {
+-		return errors.New("http: invalid Host header")
++		// Historically, we would truncate the Host header after '/' or ' '.
++		// Some users have relied on this truncation to convert a network
++		// address such as Unix domain socket path into a valid, ignored
++		// Host header (see https://go.dev/issue/61431).
++		//
++		// We don't preserve the truncation, because sending an altered
++		// header field opens a smuggling vector. Instead, zero out the
++		// Host header entirely if it isn't valid. (An empty Host is valid;
++		// see RFC 9112 Section 3.2.)
++		//
++		// Return an error if we're sending to a proxy, since the proxy
++		// probably can't do anything useful with an empty Host header.
++		if !usingProxy {
++			host = ""
++		} else {
++			return errors.New("http: invalid Host header")
++		}
+ 	}
+ 
+ 	// According to RFC 6874, an HTTP client, proxy, or other
+diff --git a/src/net/http/request_test.go b/src/net/http/request_test.go
+index 0892bc255f..a32b583c11 100644
+--- a/src/net/http/request_test.go
++++ b/src/net/http/request_test.go
+@@ -767,16 +767,23 @@ func TestRequestWriteBufferedWriter(t *testing.T) {
+ 	}
+ }
+ 
+-func TestRequestBadHost(t *testing.T) {
++func TestRequestBadHostHeader(t *testing.T) {
+ 	got := []string{}
+ 	req, err := NewRequest("GET", "http://foo/after", nil)
+ 	if err != nil {
+ 		t.Fatal(err)
+ 	}
+-	req.Host = "foo.com with spaces"
+-	req.URL.Host = "foo.com with spaces"
+-	if err := req.Write(logWrites{t, &got}); err == nil {
+-		t.Errorf("Writing request with invalid Host: succeded, want error")
++	req.Host = "foo.com\nnewline"
++	req.URL.Host = "foo.com\nnewline"
++	req.Write(logWrites{t, &got})
++	want := []string{
++		"GET /after HTTP/1.1\r\n",
++		"Host: \r\n",
++		"User-Agent: " + DefaultUserAgent + "\r\n",
++		"\r\n",
++	}
++	if !reflect.DeepEqual(got, want) {
++		t.Errorf("Writes = %q\n  Want = %q", got, want)
+ 	}
+ }
+ 
+-- 
+2.33.0
+
diff --git a/golang.spec b/golang.spec
index 4f3534d..eb8b362 100644
--- a/golang.spec
+++ b/golang.spec
@@ -60,7 +60,7 @@
 
 Name:           golang
 Version:        1.20.7
-Release:        1
+Release:        2
 Summary:        The Go Programming Language
 License:        BSD and Public Domain
 URL:            https://golang.org/
@@ -116,6 +116,7 @@ Requires:       %{vendor}-rpm-config
 
 Patch6001:  0001-Enable-go-plugin-support-for-riscv64-based-on-work-b.patch
 Patch6002:  0002-cmd-go-use-local-proxy-and-sumdb.patch
+Patch6003:  0003-net-http-permit-requests-with-invalid-Host-headers.patch
 ExclusiveArch:  %{golang_arches}
 
 %description
@@ -353,6 +354,9 @@ fi
 %files devel -f go-tests.list -f go-misc.list -f go-src.list
 
 %changelog
+* Thu Aug 24 2023 wanglimin <wanglimin@xfusion.com> - 1.20.7-2
+- permit invalid host header for docker
+
 * Mon Aug 7 2023 Funda Wang <fundawang@yeah.net> - 1.20.7-1
 - New version 1.20.7
 
-- 
Gitee