[v1,2/2] package/docker-cli: backport fix for host header check

Go 1.20.6 and 1.19.11 include a security check of the http Host header:

  https://github.com/golang/go/issues/60374

docker-cli does not satisfy this check:

  $ docker exec -it ctr bash
  http: invalid Host header

This is a backported patch to fix this issue:

Issue: https://github.com/moby/moby/issues/45935
Upstream PR: https://github.com/moby/moby/pull/45942

The upstream PR has been merged and will be included in v24.0.5.

Signed-off-by: Christian Stewart <christian@aperture.us>
---
 ...ackport-fix-for-go-Host-header-check.patch | 270 ++++++++++++++++++
 1 file changed, 270 insertions(+)
 create mode 100644 package/docker-cli/0001-backport-fix-for-go-Host-header-check.patch

Tested-by: TIAN Yuanhao <tianyuanhao3@163.com>

At 2023-07-17 12:10:47, "Christian Stewart via buildroot" <buildroot@buildroot.org> wrote:
>Go 1.20.6 and 1.19.11 include a security check of the http Host header:
>
>  https://github.com/golang/go/issues/60374
>
>docker-cli does not satisfy this check:
>
>  $ docker exec -it ctr bash
>  http: invalid Host header
>
>This is a backported patch to fix this issue:
>
>Issue: https://github.com/moby/moby/issues/45935
>Upstream PR: https://github.com/moby/moby/pull/45942
>
>The upstream PR has been merged and will be included in v24.0.5.
>
>Signed-off-by: Christian Stewart <christian@aperture.us>
>---
> ...ackport-fix-for-go-Host-header-check.patch | 270 ++++++++++++++++++
> 1 file changed, 270 insertions(+)
> create mode 100644 package/docker-cli/0001-backport-fix-for-go-Host-header-check.patch
>
>diff --git a/package/docker-cli/0001-backport-fix-for-go-Host-header-check.patch b/package/docker-cli/0001-backport-fix-for-go-Host-header-check.patch
>new file mode 100644
>index 0000000000..2d16fd6df2
>--- /dev/null
>+++ b/package/docker-cli/0001-backport-fix-for-go-Host-header-check.patch
>@@ -0,0 +1,270 @@
>+From 4dc783e2bdf414761ef7c209b435d0a30f17c858 Mon Sep 17 00:00:00 2001
>+From: Sebastiaan van Stijn <github@gone.nl>
>+Date: Sat, 15 Jul 2023 02:22:10 +0200
>+Subject: [PATCH] backport fix for go Host header check
>+
>+Go 1.20.6 and 1.19.11 include a security check of the http Host header:
>+    
>+  https://github.com/golang/go/issues/60374
>+
>+docker-cli fails this check:
>+
>+  $ docker exec -it ctr bash
>+  http: invalid Host header
>+
>+This is a backported patch to fix this issue.
>+
>+Issue: https://github.com/moby/moby/issues/45935
>+Upstream PR: https://github.com/moby/moby/pull/45942
>+
>+The upstream PR has been merged and will be included in v24.0.5.
>+
>+Signed-off-by: Christian Stewart <christian@aperture.us>
>+
>+---
>+
>+For local communications (npipe://, unix://), the hostname is not used,
>+but we need valid and meaningful hostname.
>+
>+The current code used the socket path as hostname, which gets rejected by
>+go1.20.6 and go1.19.11 because of a security fix for [CVE-2023-29406 ][1],
>+which was implemented in  https://go.dev/issue/60374.
>+
>+Prior versions go Go would clean the host header, and strip slashes in the
>+process, but go1.20.6 and go1.19.11 no longer do, and reject the host
>+header.
>+---
>+ vendor.mod                                    | 16 +++++-----
>+ vendor.sum                                    | 32 +++++++++----------
>+ .../github.com/docker/docker/client/client.go | 30 +++++++++++++++++
>+ .../github.com/docker/docker/client/hijack.go |  6 +++-
>+ .../docker/docker/client/request.go           | 10 +++---
>+ 6 files changed, 72 insertions(+), 40 deletions(-)
>+
>+diff --git a/vendor.mod b/vendor.mod
>+index 93b252033b..ed4f4e8050 100644
>+--- a/vendor.mod
>++++ b/vendor.mod
>+@@ -10,7 +10,7 @@ require (
>+ 	github.com/containerd/containerd v1.6.21
>+ 	github.com/creack/pty v1.1.18
>+ 	github.com/docker/distribution v2.8.2+incompatible
>+-	github.com/docker/docker v24.0.2+incompatible
>++	github.com/docker/docker v24.0.5-0.20230714235725-36e9e796c6fc+incompatible // 24.0 branch
>+ 	github.com/docker/docker-credential-helpers v0.7.0
>+ 	github.com/docker/go-connections v0.4.0
>+ 	github.com/docker/go-units v0.5.0
>+@@ -23,24 +23,24 @@ require (
>+ 	github.com/mitchellh/mapstructure v1.3.2
>+ 	github.com/moby/buildkit v0.11.6
>+ 	github.com/moby/patternmatcher v0.5.0
>+-	github.com/moby/swarmkit/v2 v2.0.0-20230406225228-75e92ce14ff7
>++	github.com/moby/swarmkit/v2 v2.0.0-20230531205928-01bb7a41396b
>+ 	github.com/moby/sys/sequential v0.5.0
>+ 	github.com/moby/sys/signal v0.7.0
>+ 	github.com/moby/term v0.5.0
>+ 	github.com/morikuni/aec v1.0.0
>+ 	github.com/opencontainers/go-digest v1.0.0
>+-	github.com/opencontainers/image-spec v1.1.0-rc2.0.20221005185240-3a7f492d3f1b
>++	github.com/opencontainers/image-spec v1.1.0-rc3
>+ 	github.com/pkg/errors v0.9.1
>+-	github.com/sirupsen/logrus v1.9.0
>++	github.com/sirupsen/logrus v1.9.3
>+ 	github.com/spf13/cobra v1.7.0
>+ 	github.com/spf13/pflag v1.0.5
>+ 	github.com/theupdateframework/notary v0.7.1-0.20210315103452-bf96a202a09a
>+ 	github.com/tonistiigi/go-rosetta v0.0.0-20200727161949-f79598599c5d
>+ 	github.com/xeipuuv/gojsonschema v1.2.0
>+ 	golang.org/x/sync v0.1.0
>+-	golang.org/x/sys v0.6.0
>+-	golang.org/x/term v0.6.0
>+-	golang.org/x/text v0.8.0
>++	golang.org/x/sys v0.8.0
>++	golang.org/x/term v0.8.0
>++	golang.org/x/text v0.9.0
>+ 	gopkg.in/yaml.v2 v2.4.0
>+ 	gotest.tools/v3 v3.4.0
>+ )
>+@@ -71,7 +71,7 @@ require (
>+ 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
>+ 	go.etcd.io/etcd/raft/v3 v3.5.6 // indirect
>+ 	golang.org/x/crypto v0.2.0 // indirect
>+-	golang.org/x/net v0.8.0 // indirect
>++	golang.org/x/net v0.10.0 // indirect
>+ 	golang.org/x/time v0.3.0 // indirect
>+ 	google.golang.org/genproto v0.0.0-20220706185917-7780775163c4 // indirect
>+ 	google.golang.org/grpc v1.50.1 // indirect
>+diff --git a/vendor.sum b/vendor.sum
>+index 15bc7cd703..3f8fbc6294 100644
>+--- a/vendor.sum
>++++ b/vendor.sum
>+@@ -96,8 +96,8 @@ github.com/denisenkom/go-mssqldb v0.0.0-20191128021309-1d7a30a10f73/go.mod h1:xb
>+ github.com/docker/distribution v2.7.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
>+ github.com/docker/distribution v2.8.2+incompatible h1:T3de5rq0dB1j30rp0sA2rER+m322EBzniBPB6ZIzuh8=
>+ github.com/docker/distribution v2.8.2+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
>+-github.com/docker/docker v24.0.2+incompatible h1:eATx+oLz9WdNVkQrr0qjQ8HvRJ4bOOxfzEo8R+dA3cg=
>+-github.com/docker/docker v24.0.2+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
>++github.com/docker/docker v24.0.5-0.20230714235725-36e9e796c6fc+incompatible h1:sdGvA1bxu/1J51gAs1XU0bZC+2WxncYnI210as3c6g8=
>++github.com/docker/docker v24.0.5-0.20230714235725-36e9e796c6fc+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
>+ github.com/docker/docker-credential-helpers v0.7.0 h1:xtCHsjxogADNZcdv1pKUHXryefjlVRqWqIhk/uXJp0A=
>+ github.com/docker/docker-credential-helpers v0.7.0/go.mod h1:rETQfLdHNT3foU5kuNkFR1R1V12OJRRO5lzt2D1b5X0=
>+ github.com/docker/go v1.5.1-1.0.20160303222718-d30aec9fd63c h1:lzqkGL9b3znc+ZUgi7FlLnqjQhcXxkNM/quxIjBVMD0=
>+@@ -273,8 +273,8 @@ github.com/moby/buildkit v0.11.6 h1:VYNdoKk5TVxN7k4RvZgdeM4GOyRvIi4Z8MXOY7xvyUs=
>+ github.com/moby/buildkit v0.11.6/go.mod h1:GCqKfHhz+pddzfgaR7WmHVEE3nKKZMMDPpK8mh3ZLv4=
>+ github.com/moby/patternmatcher v0.5.0 h1:YCZgJOeULcxLw1Q+sVR636pmS7sPEn1Qo2iAN6M7DBo=
>+ github.com/moby/patternmatcher v0.5.0/go.mod h1:hDPoyOpDY7OrrMDLaYoY3hf52gNCR/YOUYxkhApJIxc=
>+-github.com/moby/swarmkit/v2 v2.0.0-20230406225228-75e92ce14ff7 h1:h6NclNly6/B9N4IdM5pcBaq/LkNLuaCmE7B44Vj+pb0=
>+-github.com/moby/swarmkit/v2 v2.0.0-20230406225228-75e92ce14ff7/go.mod h1:P/ha3F7UZMmuUvqrHw9cZK/BjktSngQIgRPiairNHTc=
>++github.com/moby/swarmkit/v2 v2.0.0-20230531205928-01bb7a41396b h1:w07xyBXYTrihwBqCkuXPLqcQ1a2guqXlRIocU+e9K7A=
>++github.com/moby/swarmkit/v2 v2.0.0-20230531205928-01bb7a41396b/go.mod h1:Z5i5At5g0zU+ZBWb/95yVwDeNQX8BZmei9ZoYvoVD7g=
>+ github.com/moby/sys/sequential v0.5.0 h1:OPvI35Lzn9K04PBbCLW0g4LcFAJgHsvXsRyewg5lXtc=
>+ github.com/moby/sys/sequential v0.5.0/go.mod h1:tH2cOOs5V9MlPiXcQzRC+eEyab644PWKGRYaaV5ZZlo=
>+ github.com/moby/sys/signal v0.7.0 h1:25RW3d5TnQEoKvRbEKUGay6DCQ46IxAVTT9CUMgmsSI=
>+@@ -301,8 +301,8 @@ github.com/onsi/gomega v1.9.0/go.mod h1:Ho0h+IUsWyvy1OpqCwxlQ/21gkhVunqlU8fDGcoT
>+ github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
>+ github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
>+ github.com/opencontainers/image-spec v1.0.1/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0=
>+-github.com/opencontainers/image-spec v1.1.0-rc2.0.20221005185240-3a7f492d3f1b h1:YWuSjZCQAPM8UUBLkYUk1e+rZcvWHJmFb6i6rM44Xs8=
>+-github.com/opencontainers/image-spec v1.1.0-rc2.0.20221005185240-3a7f492d3f1b/go.mod h1:3OVijpioIKYWTqjiG0zfF6wvoJ4fAXGbjdZuI2NgsRQ=
>++github.com/opencontainers/image-spec v1.1.0-rc3 h1:fzg1mXZFj8YdPeNkRXMg+zb88BFV0Ys52cJydRwBkb8=
>++github.com/opencontainers/image-spec v1.1.0-rc3/go.mod h1:X4pATf0uXsnn3g5aiGIsVnJBR4mxhKzfwmvK/B2NTm8=
>+ github.com/opencontainers/runc v1.1.7 h1:y2EZDS8sNng4Ksf0GUYNhKbTShZJPJg1FiXJNH/uoCk=
>+ github.com/opencontainers/runc v1.1.7/go.mod h1:CbUumNnWCuTGFukNXahoo/RFBZvDAgRh/smNYNOhA50=
>+ github.com/opentracing/opentracing-go v1.1.0 h1:pWlfV3Bxv7k65HYwkikxat0+s3pV4bsqf19k25Ur8rU=
>+@@ -357,8 +357,8 @@ github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6Mwd
>+ github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88=
>+ github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
>+ github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
>+-github.com/sirupsen/logrus v1.9.0 h1:trlNQbNUG3OdDrDil03MCb1H2o9nJ1x4/5LYw7byDE0=
>+-github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
>++github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
>++github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
>+ github.com/spf13/cast v0.0.0-20150508191742-4d07383ffe94 h1:JmfC365KywYwHB946TTiQWEb8kqPY+pybPLoGE9GgVk=
>+ github.com/spf13/cast v0.0.0-20150508191742-4d07383ffe94/go.mod h1:r2rcYCSwa1IExKTDiTfzaxqT2FNHs8hODu4LnUfgKEg=
>+ github.com/spf13/cobra v0.0.1/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ=
>+@@ -482,8 +482,8 @@ golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96b
>+ golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
>+ golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
>+ golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
>+-golang.org/x/net v0.8.0 h1:Zrh2ngAOFYneWTAIAPethzeaQLuHwhuBkuV6ZiRnUaQ=
>+-golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
>++golang.org/x/net v0.10.0 h1:X2//UzNDwYmtCLn7To6G58Wr6f5ahEAQgKNzv9Y951M=
>++golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
>+ golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
>+ golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
>+ golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
>+@@ -553,13 +553,13 @@ golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359/go.mod h1:oPkhp1MJrh7nUepCBc
>+ golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
>+ golang.org/x/sys v0.0.0-20220114195835-da31bd327af9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
>+ golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
>+-golang.org/x/sys v0.6.0 h1:MVltZSvRTcU2ljQOhs94SXPftV6DCNnZViHeQps87pQ=
>+-golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
>++golang.org/x/sys v0.8.0 h1:EBmGv8NaZBZTWvrbjNoL6HVt+IVy3QDQpJs7VRIw3tU=
>++golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
>+ golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
>+ golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
>+ golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
>+-golang.org/x/term v0.6.0 h1:clScbb1cHjoCkyRbWwBEUZ5H/tIFu5TAXIqaZD0Gcjw=
>+-golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U=
>++golang.org/x/term v0.8.0 h1:n5xxQn2i3PC0yLAbjTpNT85q/Kgzcr2gIoX9OrJUols=
>++golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
>+ golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
>+ golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
>+ golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
>+@@ -568,8 +568,8 @@ golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
>+ golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
>+ golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
>+ golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
>+-golang.org/x/text v0.8.0 h1:57P1ETyNKtuIjB4SRd15iJxuhj8Gc416Y78H3qgMh68=
>+-golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
>++golang.org/x/text v0.9.0 h1:2sjJmO8cDvYveuX97RDLsxlyUxLl+GHoLxBiRdHllBE=
>++golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
>+ golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
>+ golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
>+ golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
>+diff --git a/vendor/github.com/docker/docker/client/client.go b/vendor/github.com/docker/docker/client/client.go
>+index 1c081a51ae..54fa36cca8 100644
>+--- a/vendor/github.com/docker/docker/client/client.go
>++++ b/vendor/github.com/docker/docker/client/client.go
>+@@ -56,6 +56,36 @@ import (
>+ 	"github.com/pkg/errors"
>+ )
>+ 
>++// DummyHost is a hostname used for local communication.
>++//
>++// It acts as a valid formatted hostname for local connections (such as "unix://"
>++// or "npipe://") which do not require a hostname. It should never be resolved,
>++// but uses the special-purpose ".localhost" TLD (as defined in [RFC 2606, Section 2]
>++// and [RFC 6761, Section 6.3]).
>++//
>++// [RFC 7230, Section 5.4] defines that an empty header must be used for such
>++// cases:
>++//
>++//	If the authority component is missing or undefined for the target URI,
>++//	then a client MUST send a Host header field with an empty field-value.
>++//
>++// However, [Go stdlib] enforces the semantics of HTTP(S) over TCP, does not
>++// allow an empty header to be used, and requires req.URL.Scheme to be either
>++// "http" or "https".
>++//
>++// For further details, refer to:
>++//
>++//   - https://github.com/docker/engine-api/issues/189
>++//   - https://github.com/golang/go/issues/13624
>++//   - https://github.com/golang/go/issues/61076
>++//   - https://github.com/moby/moby/issues/45935
>++//
>++// [RFC 2606, Section 2]: https://www.rfc-editor.org/rfc/rfc2606.html#section-2
>++// [RFC 6761, Section 6.3]: https://www.rfc-editor.org/rfc/rfc6761#section-6.3
>++// [RFC 7230, Section 5.4]: https://datatracker.ietf.org/doc/html/rfc7230#section-5.4
>++// [Go stdlib]: https://github.com/golang/go/blob/6244b1946bc2101b01955468f1be502dbadd6807/src/net/http/transport.go#L558-L569
>++const DummyHost = "api.moby.localhost"
>++
>+ // ErrRedirect is the error returned by checkRedirect when the request is non-GET.
>+ var ErrRedirect = errors.New("unexpected redirect in response")
>+ 
>+diff --git a/vendor/github.com/docker/docker/client/hijack.go b/vendor/github.com/docker/docker/client/hijack.go
>+index 6bdacab10a..4dcaaca4c5 100644
>+--- a/vendor/github.com/docker/docker/client/hijack.go
>++++ b/vendor/github.com/docker/docker/client/hijack.go
>+@@ -64,7 +64,11 @@ func fallbackDial(proto, addr string, tlsConfig *tls.Config) (net.Conn, error) {
>+ }
>+ 
>+ func (cli *Client) setupHijackConn(ctx context.Context, req *http.Request, proto string) (net.Conn, string, error) {
>+-	req.Host = cli.addr
>++	req.URL.Host = cli.addr
>++	if cli.proto == "unix" || cli.proto == "npipe" {
>++		// Override host header for non-tcp connections.
>++		req.Host = DummyHost
>++	}
>+ 	req.Header.Set("Connection", "Upgrade")
>+ 	req.Header.Set("Upgrade", proto)
>+ 
>+diff --git a/vendor/github.com/docker/docker/client/request.go b/vendor/github.com/docker/docker/client/request.go
>+index c799095c12..bcedcf3bd9 100644
>+--- a/vendor/github.com/docker/docker/client/request.go
>++++ b/vendor/github.com/docker/docker/client/request.go
>+@@ -96,16 +96,14 @@ func (cli *Client) buildRequest(method, path string, body io.Reader, headers hea
>+ 		return nil, err
>+ 	}
>+ 	req = cli.addHeaders(req, headers)
>++	req.URL.Scheme = cli.scheme
>++	req.URL.Host = cli.addr
>+ 
>+ 	if cli.proto == "unix" || cli.proto == "npipe" {
>+-		// For local communications, it doesn't matter what the host is. We just
>+-		// need a valid and meaningful host name. (See #189)
>+-		req.Host = "docker"
>++		// Override host header for non-tcp connections.
>++		req.Host = DummyHost
>+ 	}
>+ 
>+-	req.URL.Host = cli.addr
>+-	req.URL.Scheme = cli.scheme
>+-
>+ 	if expectedPayload && req.Header.Get("Content-Type") == "" {
>+ 		req.Header.Set("Content-Type", "text/plain")
>+ 	}
>+-- 
>+2.41.0
>+
>-- 
>2.41.0
>
>_______________________________________________
>buildroot mailing list
>buildroot@buildroot.org
>https://lists.buildroot.org/mailman/listinfo/buildroot

>>>>> "TIAN" == TIAN Yuanhao <tianyuanhao3@163.com> writes:

 > Tested-by: TIAN Yuanhao <tianyuanhao3@163.com>
 > At 2023-07-17 12:10:47, "Christian Stewart via buildroot" <buildroot@buildroot.org> wrote:
 >> Go 1.20.6 and 1.19.11 include a security check of the http Host header:
 >> 
 >> https://github.com/golang/go/issues/60374
 >> 
 >> docker-cli does not satisfy this check:
 >> 
 >> $ docker exec -it ctr bash
 >> http: invalid Host header
 >> 
 >> This is a backported patch to fix this issue:
 >> 
 >> Issue: https://github.com/moby/moby/issues/45935
 >> Upstream PR: https://github.com/moby/moby/pull/45942
 >> 
 >> The upstream PR has been merged and will be included in v24.0.5.
 >> 
 >> Signed-off-by: Christian Stewart <christian@aperture.us>
 >> ---
 >> ...ackport-fix-for-go-Host-header-check.patch | 270 ++++++++++++++++++
 >> 1 file changed, 270 insertions(+)
 >> create mode 100644 package/docker-cli/0001-backport-fix-for-go-Host-header-check.patch
 >> 
 >> diff --git a/package/docker-cli/0001-backport-fix-for-go-Host-header-check.patch b/package/docker-cli/0001-backport-fix-for-go-Host-header-check.patch
 >> new file mode 100644
 >> index 0000000000..2d16fd6df2
 >> --- /dev/null
 >> +++ b/package/docker-cli/0001-backport-fix-for-go-Host-header-check.patch
 >> @@ -0,0 +1,270 @@
 >> +From 4dc783e2bdf414761ef7c209b435d0a30f17c858 Mon Sep 17 00:00:00 2001
 >> +From: Sebastiaan van Stijn <github@gone.nl>
 >> +Date: Sat, 15 Jul 2023 02:22:10 +0200
 >> +Subject: [PATCH] backport fix for go Host header check
 >> +
 >> +Go 1.20.6 and 1.19.11 include a security check of the http Host header:
 >> +    
 >> +  https://github.com/golang/go/issues/60374
 >> +
 >> +docker-cli fails this check:
 >> +
 >> +  $ docker exec -it ctr bash
 >> +  http: invalid Host header
 >> +
 >> +This is a backported patch to fix this issue.
 >> +
 >> +Issue: https://github.com/moby/moby/issues/45935
 >> +Upstream PR: https://github.com/moby/moby/pull/45942
 >> +
 >> +The upstream PR has been merged and will be included in v24.0.5.
 >> +
 >> +Signed-off-by: Christian Stewart <christian@aperture.us>
 >> +
 >> +---
 >> +
 >> +For local communications (npipe://, unix://), the hostname is not used,
 >> +but we need valid and meaningful hostname.
 >> +
 >> +The current code used the socket path as hostname, which gets rejected by
 >> +go1.20.6 and go1.19.11 because of a security fix for [CVE-2023-29406 ][1],
 >> +which was implemented in  https://go.dev/issue/60374.
 >> +
 >> +Prior versions go Go would clean the host header, and strip slashes in the
 >> +process, but go1.20.6 and go1.19.11 no longer do, and reject the host
 >> +header.
 >> +---
 >> + vendor.mod                                    | 16 +++++-----
 >> + vendor.sum                                    | 32 +++++++++----------

Do we really need the changes to vendor.mod / vendor.sum? They didn't
apply to 23.0.5 here, so I dropped those hunks.

Committed with that fixed to 2023.02.x and 2023.05.x, thanks.