From 4452224d6ac786d1d1a723490d08aa7038088f31 Mon Sep 17 00:00:00 2001 From: John Murret Date: Fri, 14 Jul 2023 11:15:52 -0600 Subject: [PATCH] add comment. remove test --- api/api.go | 7 +++++++ api/api_test.go | 23 ----------------------- 2 files changed, 7 insertions(+), 23 deletions(-) diff --git a/api/api.go b/api/api.go index d6b4a25502d7..18bb3479c9be 100644 --- a/api/api.go +++ b/api/api.go @@ -1000,6 +1000,13 @@ func (r *request) toHTTP() (*http.Request, error) { return nil, err } + // validate that socket communications that do not use the host, detect + // slashes in the host name and replace it with local host. + // this is required since go started validating req.host in 1.20.6 and 1.19.11. + // prior to that they would strip out the slashes for you. They removed that + // behavior and added more strict validation as part of a CVE. + // https://github.com/golang/go/issues/60374 + // the hope is that if strings.HasPrefix(r.url.Host, "/") { r.url.Host = "localhost" } diff --git a/api/api_test.go b/api/api_test.go index 230d8f9fdfa5..4d5dd1fda830 100644 --- a/api/api_test.go +++ b/api/api_test.go @@ -991,29 +991,6 @@ func TestAPI_RequestToHTTP(t *testing.T) { } } -func TestAPI_RequestToHTTP_PrefixedWithSlashes(t *testing.T) { - t.Parallel() - c, s := makeClient(t) - defer s.Stop() - - c.config.Address = "/tmp/mysocket.sock" - r := c.newRequest("DELETE", "/v1/kv/foo") - q := &QueryOptions{ - Datacenter: "foo", - } - r.setQueryOptions(q) - req, err := r.toHTTP() - require.NoError(t, err) - // validate that socket communications that do not use the host, detect - // slashes in the host name and replace it with local host. - // this is required since go started validating req.host in 1.20.6. - // prior to that they would strip out the slahes for you. They removed that - // behavior and added more strict validation as part of a CVE. - // https://github.com/golang/go/issues/11206 - require.Equal(t, "localhost", req.Host) - -} - func TestAPI_ParseQueryMeta(t *testing.T) { t.Parallel() resp := &http.Response{