| Message ID | 20230717041047.1510851-1-christian@aperture.us |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [v1,1/2] package/docker-engine: backport fix for host header check | expand |
Tested-by: TIAN Yuanhao <tianyuanhao3@163.com> At 2023-07-17 12:10:46, "Christian Stewart via buildroot" <buildroot@buildroot.org> wrote: >Go 1.20.6 and 1.19.11 include a security check of the http Host header: > > https://github.com/golang/go/issues/60374 > >docker-cli does not satisfy this check: > > $ docker exec -it ctr bash > http: invalid Host header > >This is a backported patch to fix this issue: > >Issue: https://github.com/moby/moby/issues/45935 >Upstream PR: https://github.com/moby/moby/pull/45942 > >The upstream PR has been merged and will be included in v24.0.5. > >Signed-off-by: Christian Stewart <christian@aperture.us> >--- > ...dummy-hostname-to-use-for-local-conn.patch | 174 ++++++++++++++++++ > ...a-dummy-hostname-for-local-connectio.patch | 69 +++++++ > 2 files changed, 243 insertions(+) > create mode 100644 package/docker-engine/0001-client-define-a-dummy-hostname-to-use-for-local-conn.patch > create mode 100644 package/docker-engine/0002-pkg-plugins-use-a-dummy-hostname-for-local-connectio.patch > >diff --git a/package/docker-engine/0001-client-define-a-dummy-hostname-to-use-for-local-conn.patch b/package/docker-engine/0001-client-define-a-dummy-hostname-to-use-for-local-conn.patch >new file mode 100644 >index 0000000000..c5f8d1eb71 >--- /dev/null >+++ b/package/docker-engine/0001-client-define-a-dummy-hostname-to-use-for-local-conn.patch >@@ -0,0 +1,174 @@ >+From 8ced4331e5e3a6760465a8ce2bd42c66d3232c96 Mon Sep 17 00:00:00 2001 >+From: Sebastiaan van Stijn <github@gone.nl> >+Date: Wed, 12 Jul 2023 14:15:38 +0200 >+Subject: [PATCH] client: define a "dummy" hostname to use for local >+ connections >+ >+Go 1.20.6 and 1.19.11 include a security check of the http Host header: >+ >+ https://github.com/golang/go/issues/60374 >+ >+This is a backported patch to fix this issue. >+ >+Issue: https://github.com/moby/moby/issues/45935 >+Upstream PR: https://github.com/moby/moby/pull/45942 >+ >+The upstream PR has been merged and will be included in v24.0.5. >+ >+Signed-off-by: Christian Stewart <christian@aperture.us> >+ >+--- >+ >+For local communications (npipe://, unix://), the hostname is not used, >+but we need valid and meaningful hostname. >+ >+The current code used the client's `addr` as hostname in some cases, which >+could contain the path for the unix-socket (`/var/run/docker.sock`), which >+gets rejected by go1.20.6 and go1.19.11 because of a security fix for >+[CVE-2023-29406 ][1], which was implemented in https://go.dev/issue/60374. >+ >+Prior versions go Go would clean the host header, and strip slashes in the >+process, but go1.20.6 and go1.19.11 no longer do, and reject the host >+header. >+ >+This patch introduces a `DummyHost` const, and uses this dummy host for >+cases where we don't need an actual hostname. >+ >+Before this patch (using go1.20.6): >+ >+ make GO_VERSION=1.20.6 TEST_FILTER=TestAttach test-integration >+ === RUN TestAttachWithTTY >+ attach_test.go:46: assertion failed: error is not nil: http: invalid Host header >+ --- FAIL: TestAttachWithTTY (0.11s) >+ === RUN TestAttachWithoutTTy >+ attach_test.go:46: assertion failed: error is not nil: http: invalid Host header >+ --- FAIL: TestAttachWithoutTTy (0.02s) >+ FAIL >+ >+With this patch applied: >+ >+ make GO_VERSION=1.20.6 TEST_FILTER=TestAttach test-integration >+ INFO: Testing against a local daemon >+ === RUN TestAttachWithTTY >+ --- PASS: TestAttachWithTTY (0.12s) >+ === RUN TestAttachWithoutTTy >+ --- PASS: TestAttachWithoutTTy (0.02s) >+ PASS >+ >+[1]: https://github.com/advisories/GHSA-f8f7-69v5-w4vx >+ >+Signed-off-by: Sebastiaan van Stijn <github@gone.nl> >+(cherry picked from commit 92975f0c11f0566cc3c36659f5e3bb9faf5cb176) >+Signed-off-by: Sebastiaan van Stijn <github@gone.nl> >+--- >+ client/client.go | 30 ++++++++++++++++++++++++++++++ >+ client/hijack.go | 6 +++++- >+ client/request.go | 10 ++++------ >+ client/request_test.go | 4 ++-- >+ 4 files changed, 41 insertions(+), 9 deletions(-) >+ >+diff --git a/client/client.go b/client/client.go >+index 1c081a51ae..54fa36cca8 100644 >+--- a/client/client.go >++++ b/client/client.go >+@@ -56,6 +56,36 @@ import ( >+ "github.com/pkg/errors" >+ ) >+ >++// DummyHost is a hostname used for local communication. >++// >++// It acts as a valid formatted hostname for local connections (such as "unix://" >++// or "npipe://") which do not require a hostname. It should never be resolved, >++// but uses the special-purpose ".localhost" TLD (as defined in [RFC 2606, Section 2] >++// and [RFC 6761, Section 6.3]). >++// >++// [RFC 7230, Section 5.4] defines that an empty header must be used for such >++// cases: >++// >++// If the authority component is missing or undefined for the target URI, >++// then a client MUST send a Host header field with an empty field-value. >++// >++// However, [Go stdlib] enforces the semantics of HTTP(S) over TCP, does not >++// allow an empty header to be used, and requires req.URL.Scheme to be either >++// "http" or "https". >++// >++// For further details, refer to: >++// >++// - https://github.com/docker/engine-api/issues/189 >++// - https://github.com/golang/go/issues/13624 >++// - https://github.com/golang/go/issues/61076 >++// - https://github.com/moby/moby/issues/45935 >++// >++// [RFC 2606, Section 2]: https://www.rfc-editor.org/rfc/rfc2606.html#section-2 >++// [RFC 6761, Section 6.3]: https://www.rfc-editor.org/rfc/rfc6761#section-6.3 >++// [RFC 7230, Section 5.4]: https://datatracker.ietf.org/doc/html/rfc7230#section-5.4 >++// [Go stdlib]: https://github.com/golang/go/blob/6244b1946bc2101b01955468f1be502dbadd6807/src/net/http/transport.go#L558-L569 >++const DummyHost = "api.moby.localhost" >++ >+ // ErrRedirect is the error returned by checkRedirect when the request is non-GET. >+ var ErrRedirect = errors.New("unexpected redirect in response") >+ >+diff --git a/client/hijack.go b/client/hijack.go >+index 6bdacab10a..4dcaaca4c5 100644 >+--- a/client/hijack.go >++++ b/client/hijack.go >+@@ -64,7 +64,11 @@ func fallbackDial(proto, addr string, tlsConfig *tls.Config) (net.Conn, error) { >+ } >+ >+ func (cli *Client) setupHijackConn(ctx context.Context, req *http.Request, proto string) (net.Conn, string, error) { >+- req.Host = cli.addr >++ req.URL.Host = cli.addr >++ if cli.proto == "unix" || cli.proto == "npipe" { >++ // Override host header for non-tcp connections. >++ req.Host = DummyHost >++ } >+ req.Header.Set("Connection", "Upgrade") >+ req.Header.Set("Upgrade", proto) >+ >+diff --git a/client/request.go b/client/request.go >+index c799095c12..bcedcf3bd9 100644 >+--- a/client/request.go >++++ b/client/request.go >+@@ -96,16 +96,14 @@ func (cli *Client) buildRequest(method, path string, body io.Reader, headers hea >+ return nil, err >+ } >+ req = cli.addHeaders(req, headers) >++ req.URL.Scheme = cli.scheme >++ req.URL.Host = cli.addr >+ >+ if cli.proto == "unix" || cli.proto == "npipe" { >+- // For local communications, it doesn't matter what the host is. We just >+- // need a valid and meaningful host name. (See #189) >+- req.Host = "docker" >++ // Override host header for non-tcp connections. >++ req.Host = DummyHost >+ } >+ >+- req.URL.Host = cli.addr >+- req.URL.Scheme = cli.scheme >+- >+ if expectedPayload && req.Header.Get("Content-Type") == "" { >+ req.Header.Set("Content-Type", "text/plain") >+ } >+diff --git a/client/request_test.go b/client/request_test.go >+index 6e5a6e81f2..50b09d954c 100644 >+--- a/client/request_test.go >++++ b/client/request_test.go >+@@ -29,12 +29,12 @@ func TestSetHostHeader(t *testing.T) { >+ }{ >+ { >+ "unix:///var/run/docker.sock", >+- "docker", >++ DummyHost, >+ "/var/run/docker.sock", >+ }, >+ { >+ "npipe:////./pipe/docker_engine", >+- "docker", >++ DummyHost, >+ "//./pipe/docker_engine", >+ }, >+ { >+-- >+2.41.0 >+ >diff --git a/package/docker-engine/0002-pkg-plugins-use-a-dummy-hostname-for-local-connectio.patch b/package/docker-engine/0002-pkg-plugins-use-a-dummy-hostname-for-local-connectio.patch >new file mode 100644 >index 0000000000..5bd8682927 >--- /dev/null >+++ b/package/docker-engine/0002-pkg-plugins-use-a-dummy-hostname-for-local-connectio.patch >@@ -0,0 +1,69 @@ >+From 09306e7eb3c26ade69ef1e4c99d5b1fd9c0b7364 Mon Sep 17 00:00:00 2001 >+From: Sebastiaan van Stijn <github@gone.nl> >+Date: Wed, 12 Jul 2023 15:07:59 +0200 >+Subject: [PATCH] pkg/plugins: use a dummy hostname for local connections >+ >+For local communications (npipe://, unix://), the hostname is not used, >+but we need valid and meaningful hostname. >+ >+The current code used the socket path as hostname, which gets rejected by >+go1.20.6 and go1.19.11 because of a security fix for [CVE-2023-29406 ][1], >+which was implemented in https://go.dev/issue/60374. >+ >+Prior versions go Go would clean the host header, and strip slashes in the >+process, but go1.20.6 and go1.19.11 no longer do, and reject the host >+header. >+ >+Before this patch, tests would fail on go1.20.6: >+ >+ === FAIL: pkg/authorization TestAuthZRequestPlugin (15.01s) >+ time="2023-07-12T12:53:45Z" level=warning msg="Unable to connect to plugin: //tmp/authz2422457390/authz-test-plugin.sock/AuthZPlugin.AuthZReq: Post \"http://%2F%2Ftmp%2Fauthz2422457390%2Fauthz-test-plugin.sock/AuthZPlugin.AuthZReq\": http: invalid Host header, retrying in 1s" >+ time="2023-07-12T12:53:46Z" level=warning msg="Unable to connect to plugin: //tmp/authz2422457390/authz-test-plugin.sock/AuthZPlugin.AuthZReq: Post \"http://%2F%2Ftmp%2Fauthz2422457390%2Fauthz-test-plugin.sock/AuthZPlugin.AuthZReq\": http: invalid Host header, retrying in 2s" >+ time="2023-07-12T12:53:48Z" level=warning msg="Unable to connect to plugin: //tmp/authz2422457390/authz-test-plugin.sock/AuthZPlugin.AuthZReq: Post \"http://%2F%2Ftmp%2Fauthz2422457390%2Fauthz-test-plugin.sock/AuthZPlugin.AuthZReq\": http: invalid Host header, retrying in 4s" >+ time="2023-07-12T12:53:52Z" level=warning msg="Unable to connect to plugin: //tmp/authz2422457390/authz-test-plugin.sock/AuthZPlugin.AuthZReq: Post \"http://%2F%2Ftmp%2Fauthz2422457390%2Fauthz-test-plugin.sock/AuthZPlugin.AuthZReq\": http: invalid Host header, retrying in 8s" >+ authz_unix_test.go:82: Failed to authorize request Post "http://%2F%2Ftmp%2Fauthz2422457390%2Fauthz-test-plugin.sock/AuthZPlugin.AuthZReq": http: invalid Host header >+ >+[1]: https://github.com/advisories/GHSA-f8f7-69v5-w4vx >+ >+Signed-off-by: Sebastiaan van Stijn <github@gone.nl> >+(cherry picked from commit 6b7705d5b29e226a24902a8dcc488836faaee33c) >+Signed-off-by: Sebastiaan van Stijn <github@gone.nl> >+--- >+ pkg/plugins/client.go | 14 ++++++++++++-- >+ 1 file changed, 12 insertions(+), 2 deletions(-) >+ >+diff --git a/pkg/plugins/client.go b/pkg/plugins/client.go >+index 752fecd0ae..e683eb777d 100644 >+--- a/pkg/plugins/client.go >++++ b/pkg/plugins/client.go >+@@ -18,6 +18,12 @@ import ( >+ >+ const ( >+ defaultTimeOut = 30 >++ >++ // dummyHost is a hostname used for local communication. >++ // >++ // For local communications (npipe://, unix://), the hostname is not used, >++ // but we need valid and meaningful hostname. >++ dummyHost = "plugin.moby.localhost" >+ ) >+ >+ func newTransport(addr string, tlsConfig *tlsconfig.Options) (transport.Transport, error) { >+@@ -44,8 +50,12 @@ func newTransport(addr string, tlsConfig *tlsconfig.Options) (transport.Transpor >+ return nil, err >+ } >+ scheme := httpScheme(u) >+- >+- return transport.NewHTTPTransport(tr, scheme, socket), nil >++ hostName := u.Host >++ if hostName == "" || u.Scheme == "unix" || u.Scheme == "npipe" { >++ // Override host header for non-tcp connections. >++ hostName = dummyHost >++ } >++ return transport.NewHTTPTransport(tr, scheme, hostName), nil >+ } >+ >+ // NewClient creates a new plugin client (http). >+-- >+2.41.0 >+ >-- >2.41.0 > >_______________________________________________ >buildroot mailing list >buildroot@buildroot.org >https://lists.buildroot.org/mailman/listinfo/buildroot
>>>>> "TIAN" == TIAN Yuanhao <tianyuanhao3@163.com> writes: > Tested-by: TIAN Yuanhao <tianyuanhao3@163.com> > At 2023-07-17 12:10:46, "Christian Stewart via buildroot" <buildroot@buildroot.org> wrote: >> Go 1.20.6 and 1.19.11 include a security check of the http Host header: >> >> https://github.com/golang/go/issues/60374 >> >> docker-cli does not satisfy this check: >> >> $ docker exec -it ctr bash >> http: invalid Host header >> >> This is a backported patch to fix this issue: >> >> Issue: https://github.com/moby/moby/issues/45935 >> Upstream PR: https://github.com/moby/moby/pull/45942 >> >> The upstream PR has been merged and will be included in v24.0.5. >> >> Signed-off-by: Christian Stewart <christian@aperture.us> Committed to 2023.02.x and 2023.05.x, thanks.
diff --git a/package/docker-engine/0001-client-define-a-dummy-hostname-to-use-for-local-conn.patch b/package/docker-engine/0001-client-define-a-dummy-hostname-to-use-for-local-conn.patch new file mode 100644 index 0000000000..c5f8d1eb71 --- /dev/null +++ b/package/docker-engine/0001-client-define-a-dummy-hostname-to-use-for-local-conn.patch @@ -0,0 +1,174 @@ +From 8ced4331e5e3a6760465a8ce2bd42c66d3232c96 Mon Sep 17 00:00:00 2001 +From: Sebastiaan van Stijn <github@gone.nl> +Date: Wed, 12 Jul 2023 14:15:38 +0200 +Subject: [PATCH] client: define a "dummy" hostname to use for local + connections + +Go 1.20.6 and 1.19.11 include a security check of the http Host header: + + https://github.com/golang/go/issues/60374 + +This is a backported patch to fix this issue. + +Issue: https://github.com/moby/moby/issues/45935 +Upstream PR: https://github.com/moby/moby/pull/45942 + +The upstream PR has been merged and will be included in v24.0.5. + +Signed-off-by: Christian Stewart <christian@aperture.us> + +--- + +For local communications (npipe://, unix://), the hostname is not used, +but we need valid and meaningful hostname. + +The current code used the client's `addr` as hostname in some cases, which +could contain the path for the unix-socket (`/var/run/docker.sock`), which +gets rejected by go1.20.6 and go1.19.11 because of a security fix for +[CVE-2023-29406 ][1], which was implemented in https://go.dev/issue/60374. + +Prior versions go Go would clean the host header, and strip slashes in the +process, but go1.20.6 and go1.19.11 no longer do, and reject the host +header. + +This patch introduces a `DummyHost` const, and uses this dummy host for +cases where we don't need an actual hostname. + +Before this patch (using go1.20.6): + + make GO_VERSION=1.20.6 TEST_FILTER=TestAttach test-integration + === RUN TestAttachWithTTY + attach_test.go:46: assertion failed: error is not nil: http: invalid Host header + --- FAIL: TestAttachWithTTY (0.11s) + === RUN TestAttachWithoutTTy + attach_test.go:46: assertion failed: error is not nil: http: invalid Host header + --- FAIL: TestAttachWithoutTTy (0.02s) + FAIL + +With this patch applied: + + make GO_VERSION=1.20.6 TEST_FILTER=TestAttach test-integration + INFO: Testing against a local daemon + === RUN TestAttachWithTTY + --- PASS: TestAttachWithTTY (0.12s) + === RUN TestAttachWithoutTTy + --- PASS: TestAttachWithoutTTy (0.02s) + PASS + +[1]: https://github.com/advisories/GHSA-f8f7-69v5-w4vx + +Signed-off-by: Sebastiaan van Stijn <github@gone.nl> +(cherry picked from commit 92975f0c11f0566cc3c36659f5e3bb9faf5cb176) +Signed-off-by: Sebastiaan van Stijn <github@gone.nl> +--- + client/client.go | 30 ++++++++++++++++++++++++++++++ + client/hijack.go | 6 +++++- + client/request.go | 10 ++++------ + client/request_test.go | 4 ++-- + 4 files changed, 41 insertions(+), 9 deletions(-) + +diff --git a/client/client.go b/client/client.go +index 1c081a51ae..54fa36cca8 100644 +--- a/client/client.go ++++ b/client/client.go +@@ -56,6 +56,36 @@ import ( + "github.com/pkg/errors" + ) + ++// DummyHost is a hostname used for local communication. ++// ++// It acts as a valid formatted hostname for local connections (such as "unix://" ++// or "npipe://") which do not require a hostname. It should never be resolved, ++// but uses the special-purpose ".localhost" TLD (as defined in [RFC 2606, Section 2] ++// and [RFC 6761, Section 6.3]). ++// ++// [RFC 7230, Section 5.4] defines that an empty header must be used for such ++// cases: ++// ++// If the authority component is missing or undefined for the target URI, ++// then a client MUST send a Host header field with an empty field-value. ++// ++// However, [Go stdlib] enforces the semantics of HTTP(S) over TCP, does not ++// allow an empty header to be used, and requires req.URL.Scheme to be either ++// "http" or "https". ++// ++// For further details, refer to: ++// ++// - https://github.com/docker/engine-api/issues/189 ++// - https://github.com/golang/go/issues/13624 ++// - https://github.com/golang/go/issues/61076 ++// - https://github.com/moby/moby/issues/45935 ++// ++// [RFC 2606, Section 2]: https://www.rfc-editor.org/rfc/rfc2606.html#section-2 ++// [RFC 6761, Section 6.3]: https://www.rfc-editor.org/rfc/rfc6761#section-6.3 ++// [RFC 7230, Section 5.4]: https://datatracker.ietf.org/doc/html/rfc7230#section-5.4 ++// [Go stdlib]: https://github.com/golang/go/blob/6244b1946bc2101b01955468f1be502dbadd6807/src/net/http/transport.go#L558-L569 ++const DummyHost = "api.moby.localhost" ++ + // ErrRedirect is the error returned by checkRedirect when the request is non-GET. + var ErrRedirect = errors.New("unexpected redirect in response") + +diff --git a/client/hijack.go b/client/hijack.go +index 6bdacab10a..4dcaaca4c5 100644 +--- a/client/hijack.go ++++ b/client/hijack.go +@@ -64,7 +64,11 @@ func fallbackDial(proto, addr string, tlsConfig *tls.Config) (net.Conn, error) { + } + + func (cli *Client) setupHijackConn(ctx context.Context, req *http.Request, proto string) (net.Conn, string, error) { +- req.Host = cli.addr ++ req.URL.Host = cli.addr ++ if cli.proto == "unix" || cli.proto == "npipe" { ++ // Override host header for non-tcp connections. ++ req.Host = DummyHost ++ } + req.Header.Set("Connection", "Upgrade") + req.Header.Set("Upgrade", proto) + +diff --git a/client/request.go b/client/request.go +index c799095c12..bcedcf3bd9 100644 +--- a/client/request.go ++++ b/client/request.go +@@ -96,16 +96,14 @@ func (cli *Client) buildRequest(method, path string, body io.Reader, headers hea + return nil, err + } + req = cli.addHeaders(req, headers) ++ req.URL.Scheme = cli.scheme ++ req.URL.Host = cli.addr + + if cli.proto == "unix" || cli.proto == "npipe" { +- // For local communications, it doesn't matter what the host is. We just +- // need a valid and meaningful host name. (See #189) +- req.Host = "docker" ++ // Override host header for non-tcp connections. ++ req.Host = DummyHost + } + +- req.URL.Host = cli.addr +- req.URL.Scheme = cli.scheme +- + if expectedPayload && req.Header.Get("Content-Type") == "" { + req.Header.Set("Content-Type", "text/plain") + } +diff --git a/client/request_test.go b/client/request_test.go +index 6e5a6e81f2..50b09d954c 100644 +--- a/client/request_test.go ++++ b/client/request_test.go +@@ -29,12 +29,12 @@ func TestSetHostHeader(t *testing.T) { + }{ + { + "unix:///var/run/docker.sock", +- "docker", ++ DummyHost, + "/var/run/docker.sock", + }, + { + "npipe:////./pipe/docker_engine", +- "docker", ++ DummyHost, + "//./pipe/docker_engine", + }, + { +-- +2.41.0 + diff --git a/package/docker-engine/0002-pkg-plugins-use-a-dummy-hostname-for-local-connectio.patch b/package/docker-engine/0002-pkg-plugins-use-a-dummy-hostname-for-local-connectio.patch new file mode 100644 index 0000000000..5bd8682927 --- /dev/null +++ b/package/docker-engine/0002-pkg-plugins-use-a-dummy-hostname-for-local-connectio.patch @@ -0,0 +1,69 @@ +From 09306e7eb3c26ade69ef1e4c99d5b1fd9c0b7364 Mon Sep 17 00:00:00 2001 +From: Sebastiaan van Stijn <github@gone.nl> +Date: Wed, 12 Jul 2023 15:07:59 +0200 +Subject: [PATCH] pkg/plugins: use a dummy hostname for local connections + +For local communications (npipe://, unix://), the hostname is not used, +but we need valid and meaningful hostname. + +The current code used the socket path as hostname, which gets rejected by +go1.20.6 and go1.19.11 because of a security fix for [CVE-2023-29406 ][1], +which was implemented in https://go.dev/issue/60374. + +Prior versions go Go would clean the host header, and strip slashes in the +process, but go1.20.6 and go1.19.11 no longer do, and reject the host +header. + +Before this patch, tests would fail on go1.20.6: + + === FAIL: pkg/authorization TestAuthZRequestPlugin (15.01s) + time="2023-07-12T12:53:45Z" level=warning msg="Unable to connect to plugin: //tmp/authz2422457390/authz-test-plugin.sock/AuthZPlugin.AuthZReq: Post \"http://%2F%2Ftmp%2Fauthz2422457390%2Fauthz-test-plugin.sock/AuthZPlugin.AuthZReq\": http: invalid Host header, retrying in 1s" + time="2023-07-12T12:53:46Z" level=warning msg="Unable to connect to plugin: //tmp/authz2422457390/authz-test-plugin.sock/AuthZPlugin.AuthZReq: Post \"http://%2F%2Ftmp%2Fauthz2422457390%2Fauthz-test-plugin.sock/AuthZPlugin.AuthZReq\": http: invalid Host header, retrying in 2s" + time="2023-07-12T12:53:48Z" level=warning msg="Unable to connect to plugin: //tmp/authz2422457390/authz-test-plugin.sock/AuthZPlugin.AuthZReq: Post \"http://%2F%2Ftmp%2Fauthz2422457390%2Fauthz-test-plugin.sock/AuthZPlugin.AuthZReq\": http: invalid Host header, retrying in 4s" + time="2023-07-12T12:53:52Z" level=warning msg="Unable to connect to plugin: //tmp/authz2422457390/authz-test-plugin.sock/AuthZPlugin.AuthZReq: Post \"http://%2F%2Ftmp%2Fauthz2422457390%2Fauthz-test-plugin.sock/AuthZPlugin.AuthZReq\": http: invalid Host header, retrying in 8s" + authz_unix_test.go:82: Failed to authorize request Post "http://%2F%2Ftmp%2Fauthz2422457390%2Fauthz-test-plugin.sock/AuthZPlugin.AuthZReq": http: invalid Host header + +[1]: https://github.com/advisories/GHSA-f8f7-69v5-w4vx + +Signed-off-by: Sebastiaan van Stijn <github@gone.nl> +(cherry picked from commit 6b7705d5b29e226a24902a8dcc488836faaee33c) +Signed-off-by: Sebastiaan van Stijn <github@gone.nl> +--- + pkg/plugins/client.go | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/pkg/plugins/client.go b/pkg/plugins/client.go +index 752fecd0ae..e683eb777d 100644 +--- a/pkg/plugins/client.go ++++ b/pkg/plugins/client.go +@@ -18,6 +18,12 @@ import ( + + const ( + defaultTimeOut = 30 ++ ++ // dummyHost is a hostname used for local communication. ++ // ++ // For local communications (npipe://, unix://), the hostname is not used, ++ // but we need valid and meaningful hostname. ++ dummyHost = "plugin.moby.localhost" + ) + + func newTransport(addr string, tlsConfig *tlsconfig.Options) (transport.Transport, error) { +@@ -44,8 +50,12 @@ func newTransport(addr string, tlsConfig *tlsconfig.Options) (transport.Transpor + return nil, err + } + scheme := httpScheme(u) +- +- return transport.NewHTTPTransport(tr, scheme, socket), nil ++ hostName := u.Host ++ if hostName == "" || u.Scheme == "unix" || u.Scheme == "npipe" { ++ // Override host header for non-tcp connections. ++ hostName = dummyHost ++ } ++ return transport.NewHTTPTransport(tr, scheme, hostName), nil + } + + // NewClient creates a new plugin client (http). +-- +2.41.0 +
Go 1.20.6 and 1.19.11 include a security check of the http Host header: https://github.com/golang/go/issues/60374 docker-cli does not satisfy this check: $ docker exec -it ctr bash http: invalid Host header This is a backported patch to fix this issue: Issue: https://github.com/moby/moby/issues/45935 Upstream PR: https://github.com/moby/moby/pull/45942 The upstream PR has been merged and will be included in v24.0.5. Signed-off-by: Christian Stewart <christian@aperture.us> --- ...dummy-hostname-to-use-for-local-conn.patch | 174 ++++++++++++++++++ ...a-dummy-hostname-for-local-connectio.patch | 69 +++++++ 2 files changed, 243 insertions(+) create mode 100644 package/docker-engine/0001-client-define-a-dummy-hostname-to-use-for-local-conn.patch create mode 100644 package/docker-engine/0002-pkg-plugins-use-a-dummy-hostname-for-local-connectio.patch