From 4983ac79ff7da263392fb347b5b8f70bd8180c21 Mon Sep 17 00:00:00 2001 From: Peter Korsgaard Date: Tue, 26 Sep 2023 13:55:57 +0200 Subject: [PATCH] Revert "package/docker-cli: backport fix for host header check" This reverts commit ce1b80f27dc86d7b23aa221b7d1601dcd57e451e. With the bump to go 1.19.13, this workaround is no longer needed. Signed-off-by: Peter Korsgaard --- ...ackport-fix-for-go-Host-header-check.patch | 127 ------------------ 1 file changed, 127 deletions(-) delete mode 100644 package/docker-cli/0001-backport-fix-for-go-Host-header-check.patch diff --git a/package/docker-cli/0001-backport-fix-for-go-Host-header-check.patch b/package/docker-cli/0001-backport-fix-for-go-Host-header-check.patch deleted file mode 100644 index 2b58582538..0000000000 --- a/package/docker-cli/0001-backport-fix-for-go-Host-header-check.patch +++ /dev/null @@ -1,127 +0,0 @@ -From 4dc783e2bdf414761ef7c209b435d0a30f17c858 Mon Sep 17 00:00:00 2001 -From: Sebastiaan van Stijn -Date: Sat, 15 Jul 2023 02:22:10 +0200 -Subject: [PATCH] backport fix for go Host header check - -Go 1.20.6 and 1.19.11 include a security check of the http Host header: - - https://github.com/golang/go/issues/60374 - -docker-cli fails this check: - - $ docker exec -it ctr bash - http: invalid Host header - -This is a backported patch to fix this issue. - -Issue: https://github.com/moby/moby/issues/45935 -Upstream PR: https://github.com/moby/moby/pull/45942 - -The upstream PR has been merged and will be included in v24.0.5. - -Signed-off-by: Christian Stewart -[Peter: drop vendor.mod/vendor.sum changes] ---- - -For local communications (npipe://, unix://), the hostname is not used, -but we need valid and meaningful hostname. - -The current code used the socket path as hostname, which gets rejected by -go1.20.6 and go1.19.11 because of a security fix for [CVE-2023-29406 ][1], -which was implemented in https://go.dev/issue/60374. - -Prior versions go Go would clean the host header, and strip slashes in the -process, but go1.20.6 and go1.19.11 no longer do, and reject the host -header. ---- - .../github.com/docker/docker/client/client.go | 30 +++++++++++++++++ - .../github.com/docker/docker/client/hijack.go | 6 +++- - .../docker/docker/client/request.go | 10 +++--- - 4 files changed, 72 insertions(+), 40 deletions(-) - -diff --git a/vendor/github.com/docker/docker/client/client.go b/vendor/github.com/docker/docker/client/client.go -index 1c081a51ae..54fa36cca8 100644 ---- a/vendor/github.com/docker/docker/client/client.go -+++ b/vendor/github.com/docker/docker/client/client.go -@@ -56,6 +56,36 @@ import ( - "github.com/pkg/errors" - ) - -+// DummyHost is a hostname used for local communication. -+// -+// It acts as a valid formatted hostname for local connections (such as "unix://" -+// or "npipe://") which do not require a hostname. It should never be resolved, -+// but uses the special-purpose ".localhost" TLD (as defined in [RFC 2606, Section 2] -+// and [RFC 6761, Section 6.3]). -+// -+// [RFC 7230, Section 5.4] defines that an empty header must be used for such -+// cases: -+// -+// If the authority component is missing or undefined for the target URI, -+// then a client MUST send a Host header field with an empty field-value. -+// -+// However, [Go stdlib] enforces the semantics of HTTP(S) over TCP, does not -+// allow an empty header to be used, and requires req.URL.Scheme to be either -+// "http" or "https". -+// -+// For further details, refer to: -+// -+// - https://github.com/docker/engine-api/issues/189 -+// - https://github.com/golang/go/issues/13624 -+// - https://github.com/golang/go/issues/61076 -+// - https://github.com/moby/moby/issues/45935 -+// -+// [RFC 2606, Section 2]: https://www.rfc-editor.org/rfc/rfc2606.html#section-2 -+// [RFC 6761, Section 6.3]: https://www.rfc-editor.org/rfc/rfc6761#section-6.3 -+// [RFC 7230, Section 5.4]: https://datatracker.ietf.org/doc/html/rfc7230#section-5.4 -+// [Go stdlib]: https://github.com/golang/go/blob/6244b1946bc2101b01955468f1be502dbadd6807/src/net/http/transport.go#L558-L569 -+const DummyHost = "api.moby.localhost" -+ - // ErrRedirect is the error returned by checkRedirect when the request is non-GET. - var ErrRedirect = errors.New("unexpected redirect in response") - -diff --git a/vendor/github.com/docker/docker/client/hijack.go b/vendor/github.com/docker/docker/client/hijack.go -index 6bdacab10a..4dcaaca4c5 100644 ---- a/vendor/github.com/docker/docker/client/hijack.go -+++ b/vendor/github.com/docker/docker/client/hijack.go -@@ -64,7 +64,11 @@ func fallbackDial(proto, addr string, tlsConfig *tls.Config) (net.Conn, error) { - } - - func (cli *Client) setupHijackConn(ctx context.Context, req *http.Request, proto string) (net.Conn, string, error) { -- req.Host = cli.addr -+ req.URL.Host = cli.addr -+ if cli.proto == "unix" || cli.proto == "npipe" { -+ // Override host header for non-tcp connections. -+ req.Host = DummyHost -+ } - req.Header.Set("Connection", "Upgrade") - req.Header.Set("Upgrade", proto) - -diff --git a/vendor/github.com/docker/docker/client/request.go b/vendor/github.com/docker/docker/client/request.go -index c799095c12..bcedcf3bd9 100644 ---- a/vendor/github.com/docker/docker/client/request.go -+++ b/vendor/github.com/docker/docker/client/request.go -@@ -96,16 +96,14 @@ func (cli *Client) buildRequest(method, path string, body io.Reader, headers hea - return nil, err - } - req = cli.addHeaders(req, headers) -+ req.URL.Scheme = cli.scheme -+ req.URL.Host = cli.addr - - if cli.proto == "unix" || cli.proto == "npipe" { -- // For local communications, it doesn't matter what the host is. We just -- // need a valid and meaningful host name. (See #189) -- req.Host = "docker" -+ // Override host header for non-tcp connections. -+ req.Host = DummyHost - } - -- req.URL.Host = cli.addr -- req.URL.Scheme = cli.scheme -- - if expectedPayload && req.Header.Get("Content-Type") == "" { - req.Header.Set("Content-Type", "text/plain") - } --- -2.41.0 -