* [Buildroot] [PATCH v1 1/2] package/docker-engine: backport fix for host header check
@ 2023-07-17 4:10 Christian Stewart via buildroot
2023-07-17 4:10 ` [Buildroot] [PATCH v1 2/2] package/docker-cli: " Christian Stewart via buildroot
2023-07-21 5:51 ` [Buildroot] [PATCH v1 1/2] package/docker-engine: " TIAN Yuanhao
0 siblings, 2 replies; 6+ messages in thread
From: Christian Stewart via buildroot @ 2023-07-17 4:10 UTC (permalink / raw)
To: buildroot
Cc: Christian Stewart, Anisse Astier, Thomas Petazzoni, Yann E . MORIN
Go 1.20.6 and 1.19.11 include a security check of the http Host header:
https://github.com/golang/go/issues/60374
docker-cli does not satisfy this check:
$ docker exec -it ctr bash
http: invalid Host header
This is a backported patch to fix this issue:
Issue: https://github.com/moby/moby/issues/45935
Upstream PR: https://github.com/moby/moby/pull/45942
The upstream PR has been merged and will be included in v24.0.5.
Signed-off-by: Christian Stewart <christian@aperture.us>
---
...dummy-hostname-to-use-for-local-conn.patch | 174 ++++++++++++++++++
...a-dummy-hostname-for-local-connectio.patch | 69 +++++++
2 files changed, 243 insertions(+)
create mode 100644 package/docker-engine/0001-client-define-a-dummy-hostname-to-use-for-local-conn.patch
create mode 100644 package/docker-engine/0002-pkg-plugins-use-a-dummy-hostname-for-local-connectio.patch
diff --git a/package/docker-engine/0001-client-define-a-dummy-hostname-to-use-for-local-conn.patch b/package/docker-engine/0001-client-define-a-dummy-hostname-to-use-for-local-conn.patch
new file mode 100644
index 0000000000..c5f8d1eb71
--- /dev/null
+++ b/package/docker-engine/0001-client-define-a-dummy-hostname-to-use-for-local-conn.patch
@@ -0,0 +1,174 @@
+From 8ced4331e5e3a6760465a8ce2bd42c66d3232c96 Mon Sep 17 00:00:00 2001
+From: Sebastiaan van Stijn <github@gone.nl>
+Date: Wed, 12 Jul 2023 14:15:38 +0200
+Subject: [PATCH] client: define a "dummy" hostname to use for local
+ connections
+
+Go 1.20.6 and 1.19.11 include a security check of the http Host header:
+
+ https://github.com/golang/go/issues/60374
+
+This is a backported patch to fix this issue.
+
+Issue: https://github.com/moby/moby/issues/45935
+Upstream PR: https://github.com/moby/moby/pull/45942
+
+The upstream PR has been merged and will be included in v24.0.5.
+
+Signed-off-by: Christian Stewart <christian@aperture.us>
+
+---
+
+For local communications (npipe://, unix://), the hostname is not used,
+but we need valid and meaningful hostname.
+
+The current code used the client's `addr` as hostname in some cases, which
+could contain the path for the unix-socket (`/var/run/docker.sock`), which
+gets rejected by go1.20.6 and go1.19.11 because of a security fix for
+[CVE-2023-29406 ][1], which was implemented in https://go.dev/issue/60374.
+
+Prior versions go Go would clean the host header, and strip slashes in the
+process, but go1.20.6 and go1.19.11 no longer do, and reject the host
+header.
+
+This patch introduces a `DummyHost` const, and uses this dummy host for
+cases where we don't need an actual hostname.
+
+Before this patch (using go1.20.6):
+
+ make GO_VERSION=1.20.6 TEST_FILTER=TestAttach test-integration
+ === RUN TestAttachWithTTY
+ attach_test.go:46: assertion failed: error is not nil: http: invalid Host header
+ --- FAIL: TestAttachWithTTY (0.11s)
+ === RUN TestAttachWithoutTTy
+ attach_test.go:46: assertion failed: error is not nil: http: invalid Host header
+ --- FAIL: TestAttachWithoutTTy (0.02s)
+ FAIL
+
+With this patch applied:
+
+ make GO_VERSION=1.20.6 TEST_FILTER=TestAttach test-integration
+ INFO: Testing against a local daemon
+ === RUN TestAttachWithTTY
+ --- PASS: TestAttachWithTTY (0.12s)
+ === RUN TestAttachWithoutTTy
+ --- PASS: TestAttachWithoutTTy (0.02s)
+ PASS
+
+[1]: https://github.com/advisories/GHSA-f8f7-69v5-w4vx
+
+Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
+(cherry picked from commit 92975f0c11f0566cc3c36659f5e3bb9faf5cb176)
+Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
+---
+ client/client.go | 30 ++++++++++++++++++++++++++++++
+ client/hijack.go | 6 +++++-
+ client/request.go | 10 ++++------
+ client/request_test.go | 4 ++--
+ 4 files changed, 41 insertions(+), 9 deletions(-)
+
+diff --git a/client/client.go b/client/client.go
+index 1c081a51ae..54fa36cca8 100644
+--- a/client/client.go
++++ b/client/client.go
+@@ -56,6 +56,36 @@ import (
+ "github.com/pkg/errors"
+ )
+
++// DummyHost is a hostname used for local communication.
++//
++// It acts as a valid formatted hostname for local connections (such as "unix://"
++// or "npipe://") which do not require a hostname. It should never be resolved,
++// but uses the special-purpose ".localhost" TLD (as defined in [RFC 2606, Section 2]
++// and [RFC 6761, Section 6.3]).
++//
++// [RFC 7230, Section 5.4] defines that an empty header must be used for such
++// cases:
++//
++// If the authority component is missing or undefined for the target URI,
++// then a client MUST send a Host header field with an empty field-value.
++//
++// However, [Go stdlib] enforces the semantics of HTTP(S) over TCP, does not
++// allow an empty header to be used, and requires req.URL.Scheme to be either
++// "http" or "https".
++//
++// For further details, refer to:
++//
++// - https://github.com/docker/engine-api/issues/189
++// - https://github.com/golang/go/issues/13624
++// - https://github.com/golang/go/issues/61076
++// - https://github.com/moby/moby/issues/45935
++//
++// [RFC 2606, Section 2]: https://www.rfc-editor.org/rfc/rfc2606.html#section-2
++// [RFC 6761, Section 6.3]: https://www.rfc-editor.org/rfc/rfc6761#section-6.3
++// [RFC 7230, Section 5.4]: https://datatracker.ietf.org/doc/html/rfc7230#section-5.4
++// [Go stdlib]: https://github.com/golang/go/blob/6244b1946bc2101b01955468f1be502dbadd6807/src/net/http/transport.go#L558-L569
++const DummyHost = "api.moby.localhost"
++
+ // ErrRedirect is the error returned by checkRedirect when the request is non-GET.
+ var ErrRedirect = errors.New("unexpected redirect in response")
+
+diff --git a/client/hijack.go b/client/hijack.go
+index 6bdacab10a..4dcaaca4c5 100644
+--- a/client/hijack.go
++++ b/client/hijack.go
+@@ -64,7 +64,11 @@ func fallbackDial(proto, addr string, tlsConfig *tls.Config) (net.Conn, error) {
+ }
+
+ func (cli *Client) setupHijackConn(ctx context.Context, req *http.Request, proto string) (net.Conn, string, error) {
+- req.Host = cli.addr
++ req.URL.Host = cli.addr
++ if cli.proto == "unix" || cli.proto == "npipe" {
++ // Override host header for non-tcp connections.
++ req.Host = DummyHost
++ }
+ req.Header.Set("Connection", "Upgrade")
+ req.Header.Set("Upgrade", proto)
+
+diff --git a/client/request.go b/client/request.go
+index c799095c12..bcedcf3bd9 100644
+--- a/client/request.go
++++ b/client/request.go
+@@ -96,16 +96,14 @@ func (cli *Client) buildRequest(method, path string, body io.Reader, headers hea
+ return nil, err
+ }
+ req = cli.addHeaders(req, headers)
++ req.URL.Scheme = cli.scheme
++ req.URL.Host = cli.addr
+
+ if cli.proto == "unix" || cli.proto == "npipe" {
+- // For local communications, it doesn't matter what the host is. We just
+- // need a valid and meaningful host name. (See #189)
+- req.Host = "docker"
++ // Override host header for non-tcp connections.
++ req.Host = DummyHost
+ }
+
+- req.URL.Host = cli.addr
+- req.URL.Scheme = cli.scheme
+-
+ if expectedPayload && req.Header.Get("Content-Type") == "" {
+ req.Header.Set("Content-Type", "text/plain")
+ }
+diff --git a/client/request_test.go b/client/request_test.go
+index 6e5a6e81f2..50b09d954c 100644
+--- a/client/request_test.go
++++ b/client/request_test.go
+@@ -29,12 +29,12 @@ func TestSetHostHeader(t *testing.T) {
+ }{
+ {
+ "unix:///var/run/docker.sock",
+- "docker",
++ DummyHost,
+ "/var/run/docker.sock",
+ },
+ {
+ "npipe:////./pipe/docker_engine",
+- "docker",
++ DummyHost,
+ "//./pipe/docker_engine",
+ },
+ {
+--
+2.41.0
+
diff --git a/package/docker-engine/0002-pkg-plugins-use-a-dummy-hostname-for-local-connectio.patch b/package/docker-engine/0002-pkg-plugins-use-a-dummy-hostname-for-local-connectio.patch
new file mode 100644
index 0000000000..5bd8682927
--- /dev/null
+++ b/package/docker-engine/0002-pkg-plugins-use-a-dummy-hostname-for-local-connectio.patch
@@ -0,0 +1,69 @@
+From 09306e7eb3c26ade69ef1e4c99d5b1fd9c0b7364 Mon Sep 17 00:00:00 2001
+From: Sebastiaan van Stijn <github@gone.nl>
+Date: Wed, 12 Jul 2023 15:07:59 +0200
+Subject: [PATCH] pkg/plugins: use a dummy hostname for local connections
+
+For local communications (npipe://, unix://), the hostname is not used,
+but we need valid and meaningful hostname.
+
+The current code used the socket path as hostname, which gets rejected by
+go1.20.6 and go1.19.11 because of a security fix for [CVE-2023-29406 ][1],
+which was implemented in https://go.dev/issue/60374.
+
+Prior versions go Go would clean the host header, and strip slashes in the
+process, but go1.20.6 and go1.19.11 no longer do, and reject the host
+header.
+
+Before this patch, tests would fail on go1.20.6:
+
+ === FAIL: pkg/authorization TestAuthZRequestPlugin (15.01s)
+ time="2023-07-12T12:53:45Z" level=warning msg="Unable to connect to plugin: //tmp/authz2422457390/authz-test-plugin.sock/AuthZPlugin.AuthZReq: Post \"http://%2F%2Ftmp%2Fauthz2422457390%2Fauthz-test-plugin.sock/AuthZPlugin.AuthZReq\": http: invalid Host header, retrying in 1s"
+ time="2023-07-12T12:53:46Z" level=warning msg="Unable to connect to plugin: //tmp/authz2422457390/authz-test-plugin.sock/AuthZPlugin.AuthZReq: Post \"http://%2F%2Ftmp%2Fauthz2422457390%2Fauthz-test-plugin.sock/AuthZPlugin.AuthZReq\": http: invalid Host header, retrying in 2s"
+ time="2023-07-12T12:53:48Z" level=warning msg="Unable to connect to plugin: //tmp/authz2422457390/authz-test-plugin.sock/AuthZPlugin.AuthZReq: Post \"http://%2F%2Ftmp%2Fauthz2422457390%2Fauthz-test-plugin.sock/AuthZPlugin.AuthZReq\": http: invalid Host header, retrying in 4s"
+ time="2023-07-12T12:53:52Z" level=warning msg="Unable to connect to plugin: //tmp/authz2422457390/authz-test-plugin.sock/AuthZPlugin.AuthZReq: Post \"http://%2F%2Ftmp%2Fauthz2422457390%2Fauthz-test-plugin.sock/AuthZPlugin.AuthZReq\": http: invalid Host header, retrying in 8s"
+ authz_unix_test.go:82: Failed to authorize request Post "http://%2F%2Ftmp%2Fauthz2422457390%2Fauthz-test-plugin.sock/AuthZPlugin.AuthZReq": http: invalid Host header
+
+[1]: https://github.com/advisories/GHSA-f8f7-69v5-w4vx
+
+Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
+(cherry picked from commit 6b7705d5b29e226a24902a8dcc488836faaee33c)
+Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
+---
+ pkg/plugins/client.go | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/pkg/plugins/client.go b/pkg/plugins/client.go
+index 752fecd0ae..e683eb777d 100644
+--- a/pkg/plugins/client.go
++++ b/pkg/plugins/client.go
+@@ -18,6 +18,12 @@ import (
+
+ const (
+ defaultTimeOut = 30
++
++ // dummyHost is a hostname used for local communication.
++ //
++ // For local communications (npipe://, unix://), the hostname is not used,
++ // but we need valid and meaningful hostname.
++ dummyHost = "plugin.moby.localhost"
+ )
+
+ func newTransport(addr string, tlsConfig *tlsconfig.Options) (transport.Transport, error) {
+@@ -44,8 +50,12 @@ func newTransport(addr string, tlsConfig *tlsconfig.Options) (transport.Transpor
+ return nil, err
+ }
+ scheme := httpScheme(u)
+-
+- return transport.NewHTTPTransport(tr, scheme, socket), nil
++ hostName := u.Host
++ if hostName == "" || u.Scheme == "unix" || u.Scheme == "npipe" {
++ // Override host header for non-tcp connections.
++ hostName = dummyHost
++ }
++ return transport.NewHTTPTransport(tr, scheme, hostName), nil
+ }
+
+ // NewClient creates a new plugin client (http).
+--
+2.41.0
+
--
2.41.0
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [Buildroot] [PATCH v1 2/2] package/docker-cli: backport fix for host header check
2023-07-17 4:10 [Buildroot] [PATCH v1 1/2] package/docker-engine: backport fix for host header check Christian Stewart via buildroot
@ 2023-07-17 4:10 ` Christian Stewart via buildroot
2023-07-21 5:50 ` TIAN Yuanhao
2023-07-21 5:51 ` [Buildroot] [PATCH v1 1/2] package/docker-engine: " TIAN Yuanhao
1 sibling, 1 reply; 6+ messages in thread
From: Christian Stewart via buildroot @ 2023-07-17 4:10 UTC (permalink / raw)
To: buildroot
Cc: Christian Stewart, Anisse Astier, Thomas Petazzoni, Yann E . MORIN
Go 1.20.6 and 1.19.11 include a security check of the http Host header:
https://github.com/golang/go/issues/60374
docker-cli does not satisfy this check:
$ docker exec -it ctr bash
http: invalid Host header
This is a backported patch to fix this issue:
Issue: https://github.com/moby/moby/issues/45935
Upstream PR: https://github.com/moby/moby/pull/45942
The upstream PR has been merged and will be included in v24.0.5.
Signed-off-by: Christian Stewart <christian@aperture.us>
---
| 270 ++++++++++++++++++
1 file changed, 270 insertions(+)
create mode 100644 package/docker-cli/0001-backport-fix-for-go-Host-header-check.patch
--git a/package/docker-cli/0001-backport-fix-for-go-Host-header-check.patch b/package/docker-cli/0001-backport-fix-for-go-Host-header-check.patch
new file mode 100644
index 0000000000..2d16fd6df2
--- /dev/null
+++ b/package/docker-cli/0001-backport-fix-for-go-Host-header-check.patch
@@ -0,0 +1,270 @@
+From 4dc783e2bdf414761ef7c209b435d0a30f17c858 Mon Sep 17 00:00:00 2001
+From: Sebastiaan van Stijn <github@gone.nl>
+Date: Sat, 15 Jul 2023 02:22:10 +0200
+Subject: [PATCH] backport fix for go Host header check
+
+Go 1.20.6 and 1.19.11 include a security check of the http Host header:
+
+ https://github.com/golang/go/issues/60374
+
+docker-cli fails this check:
+
+ $ docker exec -it ctr bash
+ http: invalid Host header
+
+This is a backported patch to fix this issue.
+
+Issue: https://github.com/moby/moby/issues/45935
+Upstream PR: https://github.com/moby/moby/pull/45942
+
+The upstream PR has been merged and will be included in v24.0.5.
+
+Signed-off-by: Christian Stewart <christian@aperture.us>
+
+---
+
+For local communications (npipe://, unix://), the hostname is not used,
+but we need valid and meaningful hostname.
+
+The current code used the socket path as hostname, which gets rejected by
+go1.20.6 and go1.19.11 because of a security fix for [CVE-2023-29406 ][1],
+which was implemented in https://go.dev/issue/60374.
+
+Prior versions go Go would clean the host header, and strip slashes in the
+process, but go1.20.6 and go1.19.11 no longer do, and reject the host
+header.
+---
+ vendor.mod | 16 +++++-----
+ vendor.sum | 32 +++++++++----------
+ .../github.com/docker/docker/client/client.go | 30 +++++++++++++++++
+ .../github.com/docker/docker/client/hijack.go | 6 +++-
+ .../docker/docker/client/request.go | 10 +++---
+ 6 files changed, 72 insertions(+), 40 deletions(-)
+
+diff --git a/vendor.mod b/vendor.mod
+index 93b252033b..ed4f4e8050 100644
+--- a/vendor.mod
++++ b/vendor.mod
+@@ -10,7 +10,7 @@ require (
+ github.com/containerd/containerd v1.6.21
+ github.com/creack/pty v1.1.18
+ github.com/docker/distribution v2.8.2+incompatible
+- github.com/docker/docker v24.0.2+incompatible
++ github.com/docker/docker v24.0.5-0.20230714235725-36e9e796c6fc+incompatible // 24.0 branch
+ github.com/docker/docker-credential-helpers v0.7.0
+ github.com/docker/go-connections v0.4.0
+ github.com/docker/go-units v0.5.0
+@@ -23,24 +23,24 @@ require (
+ github.com/mitchellh/mapstructure v1.3.2
+ github.com/moby/buildkit v0.11.6
+ github.com/moby/patternmatcher v0.5.0
+- github.com/moby/swarmkit/v2 v2.0.0-20230406225228-75e92ce14ff7
++ github.com/moby/swarmkit/v2 v2.0.0-20230531205928-01bb7a41396b
+ github.com/moby/sys/sequential v0.5.0
+ github.com/moby/sys/signal v0.7.0
+ github.com/moby/term v0.5.0
+ github.com/morikuni/aec v1.0.0
+ github.com/opencontainers/go-digest v1.0.0
+- github.com/opencontainers/image-spec v1.1.0-rc2.0.20221005185240-3a7f492d3f1b
++ github.com/opencontainers/image-spec v1.1.0-rc3
+ github.com/pkg/errors v0.9.1
+- github.com/sirupsen/logrus v1.9.0
++ github.com/sirupsen/logrus v1.9.3
+ github.com/spf13/cobra v1.7.0
+ github.com/spf13/pflag v1.0.5
+ github.com/theupdateframework/notary v0.7.1-0.20210315103452-bf96a202a09a
+ github.com/tonistiigi/go-rosetta v0.0.0-20200727161949-f79598599c5d
+ github.com/xeipuuv/gojsonschema v1.2.0
+ golang.org/x/sync v0.1.0
+- golang.org/x/sys v0.6.0
+- golang.org/x/term v0.6.0
+- golang.org/x/text v0.8.0
++ golang.org/x/sys v0.8.0
++ golang.org/x/term v0.8.0
++ golang.org/x/text v0.9.0
+ gopkg.in/yaml.v2 v2.4.0
+ gotest.tools/v3 v3.4.0
+ )
+@@ -71,7 +71,7 @@ require (
+ github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
+ go.etcd.io/etcd/raft/v3 v3.5.6 // indirect
+ golang.org/x/crypto v0.2.0 // indirect
+- golang.org/x/net v0.8.0 // indirect
++ golang.org/x/net v0.10.0 // indirect
+ golang.org/x/time v0.3.0 // indirect
+ google.golang.org/genproto v0.0.0-20220706185917-7780775163c4 // indirect
+ google.golang.org/grpc v1.50.1 // indirect
+diff --git a/vendor.sum b/vendor.sum
+index 15bc7cd703..3f8fbc6294 100644
+--- a/vendor.sum
++++ b/vendor.sum
+@@ -96,8 +96,8 @@ github.com/denisenkom/go-mssqldb v0.0.0-20191128021309-1d7a30a10f73/go.mod h1:xb
+ github.com/docker/distribution v2.7.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
+ github.com/docker/distribution v2.8.2+incompatible h1:T3de5rq0dB1j30rp0sA2rER+m322EBzniBPB6ZIzuh8=
+ github.com/docker/distribution v2.8.2+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
+-github.com/docker/docker v24.0.2+incompatible h1:eATx+oLz9WdNVkQrr0qjQ8HvRJ4bOOxfzEo8R+dA3cg=
+-github.com/docker/docker v24.0.2+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
++github.com/docker/docker v24.0.5-0.20230714235725-36e9e796c6fc+incompatible h1:sdGvA1bxu/1J51gAs1XU0bZC+2WxncYnI210as3c6g8=
++github.com/docker/docker v24.0.5-0.20230714235725-36e9e796c6fc+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+ github.com/docker/docker-credential-helpers v0.7.0 h1:xtCHsjxogADNZcdv1pKUHXryefjlVRqWqIhk/uXJp0A=
+ github.com/docker/docker-credential-helpers v0.7.0/go.mod h1:rETQfLdHNT3foU5kuNkFR1R1V12OJRRO5lzt2D1b5X0=
+ github.com/docker/go v1.5.1-1.0.20160303222718-d30aec9fd63c h1:lzqkGL9b3znc+ZUgi7FlLnqjQhcXxkNM/quxIjBVMD0=
+@@ -273,8 +273,8 @@ github.com/moby/buildkit v0.11.6 h1:VYNdoKk5TVxN7k4RvZgdeM4GOyRvIi4Z8MXOY7xvyUs=
+ github.com/moby/buildkit v0.11.6/go.mod h1:GCqKfHhz+pddzfgaR7WmHVEE3nKKZMMDPpK8mh3ZLv4=
+ github.com/moby/patternmatcher v0.5.0 h1:YCZgJOeULcxLw1Q+sVR636pmS7sPEn1Qo2iAN6M7DBo=
+ github.com/moby/patternmatcher v0.5.0/go.mod h1:hDPoyOpDY7OrrMDLaYoY3hf52gNCR/YOUYxkhApJIxc=
+-github.com/moby/swarmkit/v2 v2.0.0-20230406225228-75e92ce14ff7 h1:h6NclNly6/B9N4IdM5pcBaq/LkNLuaCmE7B44Vj+pb0=
+-github.com/moby/swarmkit/v2 v2.0.0-20230406225228-75e92ce14ff7/go.mod h1:P/ha3F7UZMmuUvqrHw9cZK/BjktSngQIgRPiairNHTc=
++github.com/moby/swarmkit/v2 v2.0.0-20230531205928-01bb7a41396b h1:w07xyBXYTrihwBqCkuXPLqcQ1a2guqXlRIocU+e9K7A=
++github.com/moby/swarmkit/v2 v2.0.0-20230531205928-01bb7a41396b/go.mod h1:Z5i5At5g0zU+ZBWb/95yVwDeNQX8BZmei9ZoYvoVD7g=
+ github.com/moby/sys/sequential v0.5.0 h1:OPvI35Lzn9K04PBbCLW0g4LcFAJgHsvXsRyewg5lXtc=
+ github.com/moby/sys/sequential v0.5.0/go.mod h1:tH2cOOs5V9MlPiXcQzRC+eEyab644PWKGRYaaV5ZZlo=
+ github.com/moby/sys/signal v0.7.0 h1:25RW3d5TnQEoKvRbEKUGay6DCQ46IxAVTT9CUMgmsSI=
+@@ -301,8 +301,8 @@ github.com/onsi/gomega v1.9.0/go.mod h1:Ho0h+IUsWyvy1OpqCwxlQ/21gkhVunqlU8fDGcoT
+ github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
+ github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
+ github.com/opencontainers/image-spec v1.0.1/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0=
+-github.com/opencontainers/image-spec v1.1.0-rc2.0.20221005185240-3a7f492d3f1b h1:YWuSjZCQAPM8UUBLkYUk1e+rZcvWHJmFb6i6rM44Xs8=
+-github.com/opencontainers/image-spec v1.1.0-rc2.0.20221005185240-3a7f492d3f1b/go.mod h1:3OVijpioIKYWTqjiG0zfF6wvoJ4fAXGbjdZuI2NgsRQ=
++github.com/opencontainers/image-spec v1.1.0-rc3 h1:fzg1mXZFj8YdPeNkRXMg+zb88BFV0Ys52cJydRwBkb8=
++github.com/opencontainers/image-spec v1.1.0-rc3/go.mod h1:X4pATf0uXsnn3g5aiGIsVnJBR4mxhKzfwmvK/B2NTm8=
+ github.com/opencontainers/runc v1.1.7 h1:y2EZDS8sNng4Ksf0GUYNhKbTShZJPJg1FiXJNH/uoCk=
+ github.com/opencontainers/runc v1.1.7/go.mod h1:CbUumNnWCuTGFukNXahoo/RFBZvDAgRh/smNYNOhA50=
+ github.com/opentracing/opentracing-go v1.1.0 h1:pWlfV3Bxv7k65HYwkikxat0+s3pV4bsqf19k25Ur8rU=
+@@ -357,8 +357,8 @@ github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6Mwd
+ github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88=
+ github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
+ github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
+-github.com/sirupsen/logrus v1.9.0 h1:trlNQbNUG3OdDrDil03MCb1H2o9nJ1x4/5LYw7byDE0=
+-github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
++github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
++github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
+ github.com/spf13/cast v0.0.0-20150508191742-4d07383ffe94 h1:JmfC365KywYwHB946TTiQWEb8kqPY+pybPLoGE9GgVk=
+ github.com/spf13/cast v0.0.0-20150508191742-4d07383ffe94/go.mod h1:r2rcYCSwa1IExKTDiTfzaxqT2FNHs8hODu4LnUfgKEg=
+ github.com/spf13/cobra v0.0.1/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ=
+@@ -482,8 +482,8 @@ golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96b
+ golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+ golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
+ golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
+-golang.org/x/net v0.8.0 h1:Zrh2ngAOFYneWTAIAPethzeaQLuHwhuBkuV6ZiRnUaQ=
+-golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
++golang.org/x/net v0.10.0 h1:X2//UzNDwYmtCLn7To6G58Wr6f5ahEAQgKNzv9Y951M=
++golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
+ golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
+ golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
+ golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
+@@ -553,13 +553,13 @@ golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359/go.mod h1:oPkhp1MJrh7nUepCBc
+ golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+ golang.org/x/sys v0.0.0-20220114195835-da31bd327af9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+ golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+-golang.org/x/sys v0.6.0 h1:MVltZSvRTcU2ljQOhs94SXPftV6DCNnZViHeQps87pQ=
+-golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
++golang.org/x/sys v0.8.0 h1:EBmGv8NaZBZTWvrbjNoL6HVt+IVy3QDQpJs7VRIw3tU=
++golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+ golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
+ golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+ golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+-golang.org/x/term v0.6.0 h1:clScbb1cHjoCkyRbWwBEUZ5H/tIFu5TAXIqaZD0Gcjw=
+-golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U=
++golang.org/x/term v0.8.0 h1:n5xxQn2i3PC0yLAbjTpNT85q/Kgzcr2gIoX9OrJUols=
++golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
+ golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+ golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+ golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+@@ -568,8 +568,8 @@ golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+ golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+ golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+ golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+-golang.org/x/text v0.8.0 h1:57P1ETyNKtuIjB4SRd15iJxuhj8Gc416Y78H3qgMh68=
+-golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
++golang.org/x/text v0.9.0 h1:2sjJmO8cDvYveuX97RDLsxlyUxLl+GHoLxBiRdHllBE=
++golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
+ golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+ golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+ golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+diff --git a/vendor/github.com/docker/docker/client/client.go b/vendor/github.com/docker/docker/client/client.go
+index 1c081a51ae..54fa36cca8 100644
+--- a/vendor/github.com/docker/docker/client/client.go
++++ b/vendor/github.com/docker/docker/client/client.go
+@@ -56,6 +56,36 @@ import (
+ "github.com/pkg/errors"
+ )
+
++// DummyHost is a hostname used for local communication.
++//
++// It acts as a valid formatted hostname for local connections (such as "unix://"
++// or "npipe://") which do not require a hostname. It should never be resolved,
++// but uses the special-purpose ".localhost" TLD (as defined in [RFC 2606, Section 2]
++// and [RFC 6761, Section 6.3]).
++//
++// [RFC 7230, Section 5.4] defines that an empty header must be used for such
++// cases:
++//
++// If the authority component is missing or undefined for the target URI,
++// then a client MUST send a Host header field with an empty field-value.
++//
++// However, [Go stdlib] enforces the semantics of HTTP(S) over TCP, does not
++// allow an empty header to be used, and requires req.URL.Scheme to be either
++// "http" or "https".
++//
++// For further details, refer to:
++//
++// - https://github.com/docker/engine-api/issues/189
++// - https://github.com/golang/go/issues/13624
++// - https://github.com/golang/go/issues/61076
++// - https://github.com/moby/moby/issues/45935
++//
++// [RFC 2606, Section 2]: https://www.rfc-editor.org/rfc/rfc2606.html#section-2
++// [RFC 6761, Section 6.3]: https://www.rfc-editor.org/rfc/rfc6761#section-6.3
++// [RFC 7230, Section 5.4]: https://datatracker.ietf.org/doc/html/rfc7230#section-5.4
++// [Go stdlib]: https://github.com/golang/go/blob/6244b1946bc2101b01955468f1be502dbadd6807/src/net/http/transport.go#L558-L569
++const DummyHost = "api.moby.localhost"
++
+ // ErrRedirect is the error returned by checkRedirect when the request is non-GET.
+ var ErrRedirect = errors.New("unexpected redirect in response")
+
+diff --git a/vendor/github.com/docker/docker/client/hijack.go b/vendor/github.com/docker/docker/client/hijack.go
+index 6bdacab10a..4dcaaca4c5 100644
+--- a/vendor/github.com/docker/docker/client/hijack.go
++++ b/vendor/github.com/docker/docker/client/hijack.go
+@@ -64,7 +64,11 @@ func fallbackDial(proto, addr string, tlsConfig *tls.Config) (net.Conn, error) {
+ }
+
+ func (cli *Client) setupHijackConn(ctx context.Context, req *http.Request, proto string) (net.Conn, string, error) {
+- req.Host = cli.addr
++ req.URL.Host = cli.addr
++ if cli.proto == "unix" || cli.proto == "npipe" {
++ // Override host header for non-tcp connections.
++ req.Host = DummyHost
++ }
+ req.Header.Set("Connection", "Upgrade")
+ req.Header.Set("Upgrade", proto)
+
+diff --git a/vendor/github.com/docker/docker/client/request.go b/vendor/github.com/docker/docker/client/request.go
+index c799095c12..bcedcf3bd9 100644
+--- a/vendor/github.com/docker/docker/client/request.go
++++ b/vendor/github.com/docker/docker/client/request.go
+@@ -96,16 +96,14 @@ func (cli *Client) buildRequest(method, path string, body io.Reader, headers hea
+ return nil, err
+ }
+ req = cli.addHeaders(req, headers)
++ req.URL.Scheme = cli.scheme
++ req.URL.Host = cli.addr
+
+ if cli.proto == "unix" || cli.proto == "npipe" {
+- // For local communications, it doesn't matter what the host is. We just
+- // need a valid and meaningful host name. (See #189)
+- req.Host = "docker"
++ // Override host header for non-tcp connections.
++ req.Host = DummyHost
+ }
+
+- req.URL.Host = cli.addr
+- req.URL.Scheme = cli.scheme
+-
+ if expectedPayload && req.Header.Get("Content-Type") == "" {
+ req.Header.Set("Content-Type", "text/plain")
+ }
+--
+2.41.0
+
--
2.41.0
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [Buildroot] [PATCH v1 2/2] package/docker-cli: backport fix for host header check
2023-07-17 4:10 ` [Buildroot] [PATCH v1 2/2] package/docker-cli: " Christian Stewart via buildroot
@ 2023-07-21 5:50 ` TIAN Yuanhao
2023-09-06 19:01 ` Peter Korsgaard
0 siblings, 1 reply; 6+ messages in thread
From: TIAN Yuanhao @ 2023-07-21 5:50 UTC (permalink / raw)
To: buildroot; +Cc: Christian Stewart
[-- Attachment #1.1: Type: text/plain, Size: 17448 bytes --]
Tested-by: TIAN Yuanhao <tianyuanhao3@163.com>
At 2023-07-17 12:10:47, "Christian Stewart via buildroot" <buildroot@buildroot.org> wrote:
>Go 1.20.6 and 1.19.11 include a security check of the http Host header:
>
> https://github.com/golang/go/issues/60374
>
>docker-cli does not satisfy this check:
>
> $ docker exec -it ctr bash
> http: invalid Host header
>
>This is a backported patch to fix this issue:
>
>Issue: https://github.com/moby/moby/issues/45935
>Upstream PR: https://github.com/moby/moby/pull/45942
>
>The upstream PR has been merged and will be included in v24.0.5.
>
>Signed-off-by: Christian Stewart <christian@aperture.us>
>---
> ...ackport-fix-for-go-Host-header-check.patch | 270 ++++++++++++++++++
> 1 file changed, 270 insertions(+)
> create mode 100644 package/docker-cli/0001-backport-fix-for-go-Host-header-check.patch
>
>diff --git a/package/docker-cli/0001-backport-fix-for-go-Host-header-check.patch b/package/docker-cli/0001-backport-fix-for-go-Host-header-check.patch
>new file mode 100644
>index 0000000000..2d16fd6df2
>--- /dev/null
>+++ b/package/docker-cli/0001-backport-fix-for-go-Host-header-check.patch
>@@ -0,0 +1,270 @@
>+From 4dc783e2bdf414761ef7c209b435d0a30f17c858 Mon Sep 17 00:00:00 2001
>+From: Sebastiaan van Stijn <github@gone.nl>
>+Date: Sat, 15 Jul 2023 02:22:10 +0200
>+Subject: [PATCH] backport fix for go Host header check
>+
>+Go 1.20.6 and 1.19.11 include a security check of the http Host header:
>+
>+ https://github.com/golang/go/issues/60374
>+
>+docker-cli fails this check:
>+
>+ $ docker exec -it ctr bash
>+ http: invalid Host header
>+
>+This is a backported patch to fix this issue.
>+
>+Issue: https://github.com/moby/moby/issues/45935
>+Upstream PR: https://github.com/moby/moby/pull/45942
>+
>+The upstream PR has been merged and will be included in v24.0.5.
>+
>+Signed-off-by: Christian Stewart <christian@aperture.us>
>+
>+---
>+
>+For local communications (npipe://, unix://), the hostname is not used,
>+but we need valid and meaningful hostname.
>+
>+The current code used the socket path as hostname, which gets rejected by
>+go1.20.6 and go1.19.11 because of a security fix for [CVE-2023-29406 ][1],
>+which was implemented in https://go.dev/issue/60374.
>+
>+Prior versions go Go would clean the host header, and strip slashes in the
>+process, but go1.20.6 and go1.19.11 no longer do, and reject the host
>+header.
>+---
>+ vendor.mod | 16 +++++-----
>+ vendor.sum | 32 +++++++++----------
>+ .../github.com/docker/docker/client/client.go | 30 +++++++++++++++++
>+ .../github.com/docker/docker/client/hijack.go | 6 +++-
>+ .../docker/docker/client/request.go | 10 +++---
>+ 6 files changed, 72 insertions(+), 40 deletions(-)
>+
>+diff --git a/vendor.mod b/vendor.mod
>+index 93b252033b..ed4f4e8050 100644
>+--- a/vendor.mod
>++++ b/vendor.mod
>+@@ -10,7 +10,7 @@ require (
>+ github.com/containerd/containerd v1.6.21
>+ github.com/creack/pty v1.1.18
>+ github.com/docker/distribution v2.8.2+incompatible
>+- github.com/docker/docker v24.0.2+incompatible
>++ github.com/docker/docker v24.0.5-0.20230714235725-36e9e796c6fc+incompatible // 24.0 branch
>+ github.com/docker/docker-credential-helpers v0.7.0
>+ github.com/docker/go-connections v0.4.0
>+ github.com/docker/go-units v0.5.0
>+@@ -23,24 +23,24 @@ require (
>+ github.com/mitchellh/mapstructure v1.3.2
>+ github.com/moby/buildkit v0.11.6
>+ github.com/moby/patternmatcher v0.5.0
>+- github.com/moby/swarmkit/v2 v2.0.0-20230406225228-75e92ce14ff7
>++ github.com/moby/swarmkit/v2 v2.0.0-20230531205928-01bb7a41396b
>+ github.com/moby/sys/sequential v0.5.0
>+ github.com/moby/sys/signal v0.7.0
>+ github.com/moby/term v0.5.0
>+ github.com/morikuni/aec v1.0.0
>+ github.com/opencontainers/go-digest v1.0.0
>+- github.com/opencontainers/image-spec v1.1.0-rc2.0.20221005185240-3a7f492d3f1b
>++ github.com/opencontainers/image-spec v1.1.0-rc3
>+ github.com/pkg/errors v0.9.1
>+- github.com/sirupsen/logrus v1.9.0
>++ github.com/sirupsen/logrus v1.9.3
>+ github.com/spf13/cobra v1.7.0
>+ github.com/spf13/pflag v1.0.5
>+ github.com/theupdateframework/notary v0.7.1-0.20210315103452-bf96a202a09a
>+ github.com/tonistiigi/go-rosetta v0.0.0-20200727161949-f79598599c5d
>+ github.com/xeipuuv/gojsonschema v1.2.0
>+ golang.org/x/sync v0.1.0
>+- golang.org/x/sys v0.6.0
>+- golang.org/x/term v0.6.0
>+- golang.org/x/text v0.8.0
>++ golang.org/x/sys v0.8.0
>++ golang.org/x/term v0.8.0
>++ golang.org/x/text v0.9.0
>+ gopkg.in/yaml.v2 v2.4.0
>+ gotest.tools/v3 v3.4.0
>+ )
>+@@ -71,7 +71,7 @@ require (
>+ github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
>+ go.etcd.io/etcd/raft/v3 v3.5.6 // indirect
>+ golang.org/x/crypto v0.2.0 // indirect
>+- golang.org/x/net v0.8.0 // indirect
>++ golang.org/x/net v0.10.0 // indirect
>+ golang.org/x/time v0.3.0 // indirect
>+ google.golang.org/genproto v0.0.0-20220706185917-7780775163c4 // indirect
>+ google.golang.org/grpc v1.50.1 // indirect
>+diff --git a/vendor.sum b/vendor.sum
>+index 15bc7cd703..3f8fbc6294 100644
>+--- a/vendor.sum
>++++ b/vendor.sum
>+@@ -96,8 +96,8 @@ github.com/denisenkom/go-mssqldb v0.0.0-20191128021309-1d7a30a10f73/go.mod h1:xb
>+ github.com/docker/distribution v2.7.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
>+ github.com/docker/distribution v2.8.2+incompatible h1:T3de5rq0dB1j30rp0sA2rER+m322EBzniBPB6ZIzuh8=
>+ github.com/docker/distribution v2.8.2+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
>+-github.com/docker/docker v24.0.2+incompatible h1:eATx+oLz9WdNVkQrr0qjQ8HvRJ4bOOxfzEo8R+dA3cg=
>+-github.com/docker/docker v24.0.2+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
>++github.com/docker/docker v24.0.5-0.20230714235725-36e9e796c6fc+incompatible h1:sdGvA1bxu/1J51gAs1XU0bZC+2WxncYnI210as3c6g8=
>++github.com/docker/docker v24.0.5-0.20230714235725-36e9e796c6fc+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
>+ github.com/docker/docker-credential-helpers v0.7.0 h1:xtCHsjxogADNZcdv1pKUHXryefjlVRqWqIhk/uXJp0A=
>+ github.com/docker/docker-credential-helpers v0.7.0/go.mod h1:rETQfLdHNT3foU5kuNkFR1R1V12OJRRO5lzt2D1b5X0=
>+ github.com/docker/go v1.5.1-1.0.20160303222718-d30aec9fd63c h1:lzqkGL9b3znc+ZUgi7FlLnqjQhcXxkNM/quxIjBVMD0=
>+@@ -273,8 +273,8 @@ github.com/moby/buildkit v0.11.6 h1:VYNdoKk5TVxN7k4RvZgdeM4GOyRvIi4Z8MXOY7xvyUs=
>+ github.com/moby/buildkit v0.11.6/go.mod h1:GCqKfHhz+pddzfgaR7WmHVEE3nKKZMMDPpK8mh3ZLv4=
>+ github.com/moby/patternmatcher v0.5.0 h1:YCZgJOeULcxLw1Q+sVR636pmS7sPEn1Qo2iAN6M7DBo=
>+ github.com/moby/patternmatcher v0.5.0/go.mod h1:hDPoyOpDY7OrrMDLaYoY3hf52gNCR/YOUYxkhApJIxc=
>+-github.com/moby/swarmkit/v2 v2.0.0-20230406225228-75e92ce14ff7 h1:h6NclNly6/B9N4IdM5pcBaq/LkNLuaCmE7B44Vj+pb0=
>+-github.com/moby/swarmkit/v2 v2.0.0-20230406225228-75e92ce14ff7/go.mod h1:P/ha3F7UZMmuUvqrHw9cZK/BjktSngQIgRPiairNHTc=
>++github.com/moby/swarmkit/v2 v2.0.0-20230531205928-01bb7a41396b h1:w07xyBXYTrihwBqCkuXPLqcQ1a2guqXlRIocU+e9K7A=
>++github.com/moby/swarmkit/v2 v2.0.0-20230531205928-01bb7a41396b/go.mod h1:Z5i5At5g0zU+ZBWb/95yVwDeNQX8BZmei9ZoYvoVD7g=
>+ github.com/moby/sys/sequential v0.5.0 h1:OPvI35Lzn9K04PBbCLW0g4LcFAJgHsvXsRyewg5lXtc=
>+ github.com/moby/sys/sequential v0.5.0/go.mod h1:tH2cOOs5V9MlPiXcQzRC+eEyab644PWKGRYaaV5ZZlo=
>+ github.com/moby/sys/signal v0.7.0 h1:25RW3d5TnQEoKvRbEKUGay6DCQ46IxAVTT9CUMgmsSI=
>+@@ -301,8 +301,8 @@ github.com/onsi/gomega v1.9.0/go.mod h1:Ho0h+IUsWyvy1OpqCwxlQ/21gkhVunqlU8fDGcoT
>+ github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
>+ github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
>+ github.com/opencontainers/image-spec v1.0.1/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0=
>+-github.com/opencontainers/image-spec v1.1.0-rc2.0.20221005185240-3a7f492d3f1b h1:YWuSjZCQAPM8UUBLkYUk1e+rZcvWHJmFb6i6rM44Xs8=
>+-github.com/opencontainers/image-spec v1.1.0-rc2.0.20221005185240-3a7f492d3f1b/go.mod h1:3OVijpioIKYWTqjiG0zfF6wvoJ4fAXGbjdZuI2NgsRQ=
>++github.com/opencontainers/image-spec v1.1.0-rc3 h1:fzg1mXZFj8YdPeNkRXMg+zb88BFV0Ys52cJydRwBkb8=
>++github.com/opencontainers/image-spec v1.1.0-rc3/go.mod h1:X4pATf0uXsnn3g5aiGIsVnJBR4mxhKzfwmvK/B2NTm8=
>+ github.com/opencontainers/runc v1.1.7 h1:y2EZDS8sNng4Ksf0GUYNhKbTShZJPJg1FiXJNH/uoCk=
>+ github.com/opencontainers/runc v1.1.7/go.mod h1:CbUumNnWCuTGFukNXahoo/RFBZvDAgRh/smNYNOhA50=
>+ github.com/opentracing/opentracing-go v1.1.0 h1:pWlfV3Bxv7k65HYwkikxat0+s3pV4bsqf19k25Ur8rU=
>+@@ -357,8 +357,8 @@ github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6Mwd
>+ github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88=
>+ github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
>+ github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
>+-github.com/sirupsen/logrus v1.9.0 h1:trlNQbNUG3OdDrDil03MCb1H2o9nJ1x4/5LYw7byDE0=
>+-github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
>++github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
>++github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
>+ github.com/spf13/cast v0.0.0-20150508191742-4d07383ffe94 h1:JmfC365KywYwHB946TTiQWEb8kqPY+pybPLoGE9GgVk=
>+ github.com/spf13/cast v0.0.0-20150508191742-4d07383ffe94/go.mod h1:r2rcYCSwa1IExKTDiTfzaxqT2FNHs8hODu4LnUfgKEg=
>+ github.com/spf13/cobra v0.0.1/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ=
>+@@ -482,8 +482,8 @@ golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96b
>+ golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
>+ golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
>+ golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
>+-golang.org/x/net v0.8.0 h1:Zrh2ngAOFYneWTAIAPethzeaQLuHwhuBkuV6ZiRnUaQ=
>+-golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
>++golang.org/x/net v0.10.0 h1:X2//UzNDwYmtCLn7To6G58Wr6f5ahEAQgKNzv9Y951M=
>++golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
>+ golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
>+ golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
>+ golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
>+@@ -553,13 +553,13 @@ golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359/go.mod h1:oPkhp1MJrh7nUepCBc
>+ golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
>+ golang.org/x/sys v0.0.0-20220114195835-da31bd327af9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
>+ golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
>+-golang.org/x/sys v0.6.0 h1:MVltZSvRTcU2ljQOhs94SXPftV6DCNnZViHeQps87pQ=
>+-golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
>++golang.org/x/sys v0.8.0 h1:EBmGv8NaZBZTWvrbjNoL6HVt+IVy3QDQpJs7VRIw3tU=
>++golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
>+ golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
>+ golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
>+ golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
>+-golang.org/x/term v0.6.0 h1:clScbb1cHjoCkyRbWwBEUZ5H/tIFu5TAXIqaZD0Gcjw=
>+-golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U=
>++golang.org/x/term v0.8.0 h1:n5xxQn2i3PC0yLAbjTpNT85q/Kgzcr2gIoX9OrJUols=
>++golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
>+ golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
>+ golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
>+ golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
>+@@ -568,8 +568,8 @@ golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
>+ golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
>+ golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
>+ golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
>+-golang.org/x/text v0.8.0 h1:57P1ETyNKtuIjB4SRd15iJxuhj8Gc416Y78H3qgMh68=
>+-golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
>++golang.org/x/text v0.9.0 h1:2sjJmO8cDvYveuX97RDLsxlyUxLl+GHoLxBiRdHllBE=
>++golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
>+ golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
>+ golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
>+ golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
>+diff --git a/vendor/github.com/docker/docker/client/client.go b/vendor/github.com/docker/docker/client/client.go
>+index 1c081a51ae..54fa36cca8 100644
>+--- a/vendor/github.com/docker/docker/client/client.go
>++++ b/vendor/github.com/docker/docker/client/client.go
>+@@ -56,6 +56,36 @@ import (
>+ "github.com/pkg/errors"
>+ )
>+
>++// DummyHost is a hostname used for local communication.
>++//
>++// It acts as a valid formatted hostname for local connections (such as "unix://"
>++// or "npipe://") which do not require a hostname. It should never be resolved,
>++// but uses the special-purpose ".localhost" TLD (as defined in [RFC 2606, Section 2]
>++// and [RFC 6761, Section 6.3]).
>++//
>++// [RFC 7230, Section 5.4] defines that an empty header must be used for such
>++// cases:
>++//
>++// If the authority component is missing or undefined for the target URI,
>++// then a client MUST send a Host header field with an empty field-value.
>++//
>++// However, [Go stdlib] enforces the semantics of HTTP(S) over TCP, does not
>++// allow an empty header to be used, and requires req.URL.Scheme to be either
>++// "http" or "https".
>++//
>++// For further details, refer to:
>++//
>++// - https://github.com/docker/engine-api/issues/189
>++// - https://github.com/golang/go/issues/13624
>++// - https://github.com/golang/go/issues/61076
>++// - https://github.com/moby/moby/issues/45935
>++//
>++// [RFC 2606, Section 2]: https://www.rfc-editor.org/rfc/rfc2606.html#section-2
>++// [RFC 6761, Section 6.3]: https://www.rfc-editor.org/rfc/rfc6761#section-6.3
>++// [RFC 7230, Section 5.4]: https://datatracker.ietf.org/doc/html/rfc7230#section-5.4
>++// [Go stdlib]: https://github.com/golang/go/blob/6244b1946bc2101b01955468f1be502dbadd6807/src/net/http/transport.go#L558-L569
>++const DummyHost = "api.moby.localhost"
>++
>+ // ErrRedirect is the error returned by checkRedirect when the request is non-GET.
>+ var ErrRedirect = errors.New("unexpected redirect in response")
>+
>+diff --git a/vendor/github.com/docker/docker/client/hijack.go b/vendor/github.com/docker/docker/client/hijack.go
>+index 6bdacab10a..4dcaaca4c5 100644
>+--- a/vendor/github.com/docker/docker/client/hijack.go
>++++ b/vendor/github.com/docker/docker/client/hijack.go
>+@@ -64,7 +64,11 @@ func fallbackDial(proto, addr string, tlsConfig *tls.Config) (net.Conn, error) {
>+ }
>+
>+ func (cli *Client) setupHijackConn(ctx context.Context, req *http.Request, proto string) (net.Conn, string, error) {
>+- req.Host = cli.addr
>++ req.URL.Host = cli.addr
>++ if cli.proto == "unix" || cli.proto == "npipe" {
>++ // Override host header for non-tcp connections.
>++ req.Host = DummyHost
>++ }
>+ req.Header.Set("Connection", "Upgrade")
>+ req.Header.Set("Upgrade", proto)
>+
>+diff --git a/vendor/github.com/docker/docker/client/request.go b/vendor/github.com/docker/docker/client/request.go
>+index c799095c12..bcedcf3bd9 100644
>+--- a/vendor/github.com/docker/docker/client/request.go
>++++ b/vendor/github.com/docker/docker/client/request.go
>+@@ -96,16 +96,14 @@ func (cli *Client) buildRequest(method, path string, body io.Reader, headers hea
>+ return nil, err
>+ }
>+ req = cli.addHeaders(req, headers)
>++ req.URL.Scheme = cli.scheme
>++ req.URL.Host = cli.addr
>+
>+ if cli.proto == "unix" || cli.proto == "npipe" {
>+- // For local communications, it doesn't matter what the host is. We just
>+- // need a valid and meaningful host name. (See #189)
>+- req.Host = "docker"
>++ // Override host header for non-tcp connections.
>++ req.Host = DummyHost
>+ }
>+
>+- req.URL.Host = cli.addr
>+- req.URL.Scheme = cli.scheme
>+-
>+ if expectedPayload && req.Header.Get("Content-Type") == "" {
>+ req.Header.Set("Content-Type", "text/plain")
>+ }
>+--
>+2.41.0
>+
>--
>2.41.0
>
>_______________________________________________
>buildroot mailing list
>buildroot@buildroot.org
>https://lists.buildroot.org/mailman/listinfo/buildroot
[-- Attachment #1.2: Type: text/html, Size: 18518 bytes --]
[-- Attachment #2: Type: text/plain, Size: 150 bytes --]
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Buildroot] [PATCH v1 1/2] package/docker-engine: backport fix for host header check
2023-07-17 4:10 [Buildroot] [PATCH v1 1/2] package/docker-engine: backport fix for host header check Christian Stewart via buildroot
2023-07-17 4:10 ` [Buildroot] [PATCH v1 2/2] package/docker-cli: " Christian Stewart via buildroot
@ 2023-07-21 5:51 ` TIAN Yuanhao
2023-09-06 19:00 ` Peter Korsgaard
1 sibling, 1 reply; 6+ messages in thread
From: TIAN Yuanhao @ 2023-07-21 5:51 UTC (permalink / raw)
To: buildroot; +Cc: Christian Stewart
[-- Attachment #1.1: Type: text/plain, Size: 12099 bytes --]
Tested-by: TIAN Yuanhao <tianyuanhao3@163.com>
At 2023-07-17 12:10:46, "Christian Stewart via buildroot" <buildroot@buildroot.org> wrote:
>Go 1.20.6 and 1.19.11 include a security check of the http Host header:
>
> https://github.com/golang/go/issues/60374
>
>docker-cli does not satisfy this check:
>
> $ docker exec -it ctr bash
> http: invalid Host header
>
>This is a backported patch to fix this issue:
>
>Issue: https://github.com/moby/moby/issues/45935
>Upstream PR: https://github.com/moby/moby/pull/45942
>
>The upstream PR has been merged and will be included in v24.0.5.
>
>Signed-off-by: Christian Stewart <christian@aperture.us>
>---
> ...dummy-hostname-to-use-for-local-conn.patch | 174 ++++++++++++++++++
> ...a-dummy-hostname-for-local-connectio.patch | 69 +++++++
> 2 files changed, 243 insertions(+)
> create mode 100644 package/docker-engine/0001-client-define-a-dummy-hostname-to-use-for-local-conn.patch
> create mode 100644 package/docker-engine/0002-pkg-plugins-use-a-dummy-hostname-for-local-connectio.patch
>
>diff --git a/package/docker-engine/0001-client-define-a-dummy-hostname-to-use-for-local-conn.patch b/package/docker-engine/0001-client-define-a-dummy-hostname-to-use-for-local-conn.patch
>new file mode 100644
>index 0000000000..c5f8d1eb71
>--- /dev/null
>+++ b/package/docker-engine/0001-client-define-a-dummy-hostname-to-use-for-local-conn.patch
>@@ -0,0 +1,174 @@
>+From 8ced4331e5e3a6760465a8ce2bd42c66d3232c96 Mon Sep 17 00:00:00 2001
>+From: Sebastiaan van Stijn <github@gone.nl>
>+Date: Wed, 12 Jul 2023 14:15:38 +0200
>+Subject: [PATCH] client: define a "dummy" hostname to use for local
>+ connections
>+
>+Go 1.20.6 and 1.19.11 include a security check of the http Host header:
>+
>+ https://github.com/golang/go/issues/60374
>+
>+This is a backported patch to fix this issue.
>+
>+Issue: https://github.com/moby/moby/issues/45935
>+Upstream PR: https://github.com/moby/moby/pull/45942
>+
>+The upstream PR has been merged and will be included in v24.0.5.
>+
>+Signed-off-by: Christian Stewart <christian@aperture.us>
>+
>+---
>+
>+For local communications (npipe://, unix://), the hostname is not used,
>+but we need valid and meaningful hostname.
>+
>+The current code used the client's `addr` as hostname in some cases, which
>+could contain the path for the unix-socket (`/var/run/docker.sock`), which
>+gets rejected by go1.20.6 and go1.19.11 because of a security fix for
>+[CVE-2023-29406 ][1], which was implemented in https://go.dev/issue/60374.
>+
>+Prior versions go Go would clean the host header, and strip slashes in the
>+process, but go1.20.6 and go1.19.11 no longer do, and reject the host
>+header.
>+
>+This patch introduces a `DummyHost` const, and uses this dummy host for
>+cases where we don't need an actual hostname.
>+
>+Before this patch (using go1.20.6):
>+
>+ make GO_VERSION=1.20.6 TEST_FILTER=TestAttach test-integration
>+ === RUN TestAttachWithTTY
>+ attach_test.go:46: assertion failed: error is not nil: http: invalid Host header
>+ --- FAIL: TestAttachWithTTY (0.11s)
>+ === RUN TestAttachWithoutTTy
>+ attach_test.go:46: assertion failed: error is not nil: http: invalid Host header
>+ --- FAIL: TestAttachWithoutTTy (0.02s)
>+ FAIL
>+
>+With this patch applied:
>+
>+ make GO_VERSION=1.20.6 TEST_FILTER=TestAttach test-integration
>+ INFO: Testing against a local daemon
>+ === RUN TestAttachWithTTY
>+ --- PASS: TestAttachWithTTY (0.12s)
>+ === RUN TestAttachWithoutTTy
>+ --- PASS: TestAttachWithoutTTy (0.02s)
>+ PASS
>+
>+[1]: https://github.com/advisories/GHSA-f8f7-69v5-w4vx
>+
>+Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
>+(cherry picked from commit 92975f0c11f0566cc3c36659f5e3bb9faf5cb176)
>+Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
>+---
>+ client/client.go | 30 ++++++++++++++++++++++++++++++
>+ client/hijack.go | 6 +++++-
>+ client/request.go | 10 ++++------
>+ client/request_test.go | 4 ++--
>+ 4 files changed, 41 insertions(+), 9 deletions(-)
>+
>+diff --git a/client/client.go b/client/client.go
>+index 1c081a51ae..54fa36cca8 100644
>+--- a/client/client.go
>++++ b/client/client.go
>+@@ -56,6 +56,36 @@ import (
>+ "github.com/pkg/errors"
>+ )
>+
>++// DummyHost is a hostname used for local communication.
>++//
>++// It acts as a valid formatted hostname for local connections (such as "unix://"
>++// or "npipe://") which do not require a hostname. It should never be resolved,
>++// but uses the special-purpose ".localhost" TLD (as defined in [RFC 2606, Section 2]
>++// and [RFC 6761, Section 6.3]).
>++//
>++// [RFC 7230, Section 5.4] defines that an empty header must be used for such
>++// cases:
>++//
>++// If the authority component is missing or undefined for the target URI,
>++// then a client MUST send a Host header field with an empty field-value.
>++//
>++// However, [Go stdlib] enforces the semantics of HTTP(S) over TCP, does not
>++// allow an empty header to be used, and requires req.URL.Scheme to be either
>++// "http" or "https".
>++//
>++// For further details, refer to:
>++//
>++// - https://github.com/docker/engine-api/issues/189
>++// - https://github.com/golang/go/issues/13624
>++// - https://github.com/golang/go/issues/61076
>++// - https://github.com/moby/moby/issues/45935
>++//
>++// [RFC 2606, Section 2]: https://www.rfc-editor.org/rfc/rfc2606.html#section-2
>++// [RFC 6761, Section 6.3]: https://www.rfc-editor.org/rfc/rfc6761#section-6.3
>++// [RFC 7230, Section 5.4]: https://datatracker.ietf.org/doc/html/rfc7230#section-5.4
>++// [Go stdlib]: https://github.com/golang/go/blob/6244b1946bc2101b01955468f1be502dbadd6807/src/net/http/transport.go#L558-L569
>++const DummyHost = "api.moby.localhost"
>++
>+ // ErrRedirect is the error returned by checkRedirect when the request is non-GET.
>+ var ErrRedirect = errors.New("unexpected redirect in response")
>+
>+diff --git a/client/hijack.go b/client/hijack.go
>+index 6bdacab10a..4dcaaca4c5 100644
>+--- a/client/hijack.go
>++++ b/client/hijack.go
>+@@ -64,7 +64,11 @@ func fallbackDial(proto, addr string, tlsConfig *tls.Config) (net.Conn, error) {
>+ }
>+
>+ func (cli *Client) setupHijackConn(ctx context.Context, req *http.Request, proto string) (net.Conn, string, error) {
>+- req.Host = cli.addr
>++ req.URL.Host = cli.addr
>++ if cli.proto == "unix" || cli.proto == "npipe" {
>++ // Override host header for non-tcp connections.
>++ req.Host = DummyHost
>++ }
>+ req.Header.Set("Connection", "Upgrade")
>+ req.Header.Set("Upgrade", proto)
>+
>+diff --git a/client/request.go b/client/request.go
>+index c799095c12..bcedcf3bd9 100644
>+--- a/client/request.go
>++++ b/client/request.go
>+@@ -96,16 +96,14 @@ func (cli *Client) buildRequest(method, path string, body io.Reader, headers hea
>+ return nil, err
>+ }
>+ req = cli.addHeaders(req, headers)
>++ req.URL.Scheme = cli.scheme
>++ req.URL.Host = cli.addr
>+
>+ if cli.proto == "unix" || cli.proto == "npipe" {
>+- // For local communications, it doesn't matter what the host is. We just
>+- // need a valid and meaningful host name. (See #189)
>+- req.Host = "docker"
>++ // Override host header for non-tcp connections.
>++ req.Host = DummyHost
>+ }
>+
>+- req.URL.Host = cli.addr
>+- req.URL.Scheme = cli.scheme
>+-
>+ if expectedPayload && req.Header.Get("Content-Type") == "" {
>+ req.Header.Set("Content-Type", "text/plain")
>+ }
>+diff --git a/client/request_test.go b/client/request_test.go
>+index 6e5a6e81f2..50b09d954c 100644
>+--- a/client/request_test.go
>++++ b/client/request_test.go
>+@@ -29,12 +29,12 @@ func TestSetHostHeader(t *testing.T) {
>+ }{
>+ {
>+ "unix:///var/run/docker.sock",
>+- "docker",
>++ DummyHost,
>+ "/var/run/docker.sock",
>+ },
>+ {
>+ "npipe:////./pipe/docker_engine",
>+- "docker",
>++ DummyHost,
>+ "//./pipe/docker_engine",
>+ },
>+ {
>+--
>+2.41.0
>+
>diff --git a/package/docker-engine/0002-pkg-plugins-use-a-dummy-hostname-for-local-connectio.patch b/package/docker-engine/0002-pkg-plugins-use-a-dummy-hostname-for-local-connectio.patch
>new file mode 100644
>index 0000000000..5bd8682927
>--- /dev/null
>+++ b/package/docker-engine/0002-pkg-plugins-use-a-dummy-hostname-for-local-connectio.patch
>@@ -0,0 +1,69 @@
>+From 09306e7eb3c26ade69ef1e4c99d5b1fd9c0b7364 Mon Sep 17 00:00:00 2001
>+From: Sebastiaan van Stijn <github@gone.nl>
>+Date: Wed, 12 Jul 2023 15:07:59 +0200
>+Subject: [PATCH] pkg/plugins: use a dummy hostname for local connections
>+
>+For local communications (npipe://, unix://), the hostname is not used,
>+but we need valid and meaningful hostname.
>+
>+The current code used the socket path as hostname, which gets rejected by
>+go1.20.6 and go1.19.11 because of a security fix for [CVE-2023-29406 ][1],
>+which was implemented in https://go.dev/issue/60374.
>+
>+Prior versions go Go would clean the host header, and strip slashes in the
>+process, but go1.20.6 and go1.19.11 no longer do, and reject the host
>+header.
>+
>+Before this patch, tests would fail on go1.20.6:
>+
>+ === FAIL: pkg/authorization TestAuthZRequestPlugin (15.01s)
>+ time="2023-07-12T12:53:45Z" level=warning msg="Unable to connect to plugin: //tmp/authz2422457390/authz-test-plugin.sock/AuthZPlugin.AuthZReq: Post \"http://%2F%2Ftmp%2Fauthz2422457390%2Fauthz-test-plugin.sock/AuthZPlugin.AuthZReq\": http: invalid Host header, retrying in 1s"
>+ time="2023-07-12T12:53:46Z" level=warning msg="Unable to connect to plugin: //tmp/authz2422457390/authz-test-plugin.sock/AuthZPlugin.AuthZReq: Post \"http://%2F%2Ftmp%2Fauthz2422457390%2Fauthz-test-plugin.sock/AuthZPlugin.AuthZReq\": http: invalid Host header, retrying in 2s"
>+ time="2023-07-12T12:53:48Z" level=warning msg="Unable to connect to plugin: //tmp/authz2422457390/authz-test-plugin.sock/AuthZPlugin.AuthZReq: Post \"http://%2F%2Ftmp%2Fauthz2422457390%2Fauthz-test-plugin.sock/AuthZPlugin.AuthZReq\": http: invalid Host header, retrying in 4s"
>+ time="2023-07-12T12:53:52Z" level=warning msg="Unable to connect to plugin: //tmp/authz2422457390/authz-test-plugin.sock/AuthZPlugin.AuthZReq: Post \"http://%2F%2Ftmp%2Fauthz2422457390%2Fauthz-test-plugin.sock/AuthZPlugin.AuthZReq\": http: invalid Host header, retrying in 8s"
>+ authz_unix_test.go:82: Failed to authorize request Post "http://%2F%2Ftmp%2Fauthz2422457390%2Fauthz-test-plugin.sock/AuthZPlugin.AuthZReq": http: invalid Host header
>+
>+[1]: https://github.com/advisories/GHSA-f8f7-69v5-w4vx
>+
>+Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
>+(cherry picked from commit 6b7705d5b29e226a24902a8dcc488836faaee33c)
>+Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
>+---
>+ pkg/plugins/client.go | 14 ++++++++++++--
>+ 1 file changed, 12 insertions(+), 2 deletions(-)
>+
>+diff --git a/pkg/plugins/client.go b/pkg/plugins/client.go
>+index 752fecd0ae..e683eb777d 100644
>+--- a/pkg/plugins/client.go
>++++ b/pkg/plugins/client.go
>+@@ -18,6 +18,12 @@ import (
>+
>+ const (
>+ defaultTimeOut = 30
>++
>++ // dummyHost is a hostname used for local communication.
>++ //
>++ // For local communications (npipe://, unix://), the hostname is not used,
>++ // but we need valid and meaningful hostname.
>++ dummyHost = "plugin.moby.localhost"
>+ )
>+
>+ func newTransport(addr string, tlsConfig *tlsconfig.Options) (transport.Transport, error) {
>+@@ -44,8 +50,12 @@ func newTransport(addr string, tlsConfig *tlsconfig.Options) (transport.Transpor
>+ return nil, err
>+ }
>+ scheme := httpScheme(u)
>+-
>+- return transport.NewHTTPTransport(tr, scheme, socket), nil
>++ hostName := u.Host
>++ if hostName == "" || u.Scheme == "unix" || u.Scheme == "npipe" {
>++ // Override host header for non-tcp connections.
>++ hostName = dummyHost
>++ }
>++ return transport.NewHTTPTransport(tr, scheme, hostName), nil
>+ }
>+
>+ // NewClient creates a new plugin client (http).
>+--
>+2.41.0
>+
>--
>2.41.0
>
>_______________________________________________
>buildroot mailing list
>buildroot@buildroot.org
>https://lists.buildroot.org/mailman/listinfo/buildroot
[-- Attachment #1.2: Type: text/html, Size: 13142 bytes --]
[-- Attachment #2: Type: text/plain, Size: 150 bytes --]
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Buildroot] [PATCH v1 1/2] package/docker-engine: backport fix for host header check
2023-07-21 5:51 ` [Buildroot] [PATCH v1 1/2] package/docker-engine: " TIAN Yuanhao
@ 2023-09-06 19:00 ` Peter Korsgaard
0 siblings, 0 replies; 6+ messages in thread
From: Peter Korsgaard @ 2023-09-06 19:00 UTC (permalink / raw)
To: TIAN Yuanhao; +Cc: Christian Stewart, buildroot
>>>>> "TIAN" == TIAN Yuanhao <tianyuanhao3@163.com> writes:
> Tested-by: TIAN Yuanhao <tianyuanhao3@163.com>
> At 2023-07-17 12:10:46, "Christian Stewart via buildroot" <buildroot@buildroot.org> wrote:
>> Go 1.20.6 and 1.19.11 include a security check of the http Host header:
>>
>> https://github.com/golang/go/issues/60374
>>
>> docker-cli does not satisfy this check:
>>
>> $ docker exec -it ctr bash
>> http: invalid Host header
>>
>> This is a backported patch to fix this issue:
>>
>> Issue: https://github.com/moby/moby/issues/45935
>> Upstream PR: https://github.com/moby/moby/pull/45942
>>
>> The upstream PR has been merged and will be included in v24.0.5.
>>
>> Signed-off-by: Christian Stewart <christian@aperture.us>
Committed to 2023.02.x and 2023.05.x, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Buildroot] [PATCH v1 2/2] package/docker-cli: backport fix for host header check
2023-07-21 5:50 ` TIAN Yuanhao
@ 2023-09-06 19:01 ` Peter Korsgaard
0 siblings, 0 replies; 6+ messages in thread
From: Peter Korsgaard @ 2023-09-06 19:01 UTC (permalink / raw)
To: TIAN Yuanhao; +Cc: Christian Stewart, buildroot
>>>>> "TIAN" == TIAN Yuanhao <tianyuanhao3@163.com> writes:
> Tested-by: TIAN Yuanhao <tianyuanhao3@163.com>
> At 2023-07-17 12:10:47, "Christian Stewart via buildroot" <buildroot@buildroot.org> wrote:
>> Go 1.20.6 and 1.19.11 include a security check of the http Host header:
>>
>> https://github.com/golang/go/issues/60374
>>
>> docker-cli does not satisfy this check:
>>
>> $ docker exec -it ctr bash
>> http: invalid Host header
>>
>> This is a backported patch to fix this issue:
>>
>> Issue: https://github.com/moby/moby/issues/45935
>> Upstream PR: https://github.com/moby/moby/pull/45942
>>
>> The upstream PR has been merged and will be included in v24.0.5.
>>
>> Signed-off-by: Christian Stewart <christian@aperture.us>
>> ---
>> ...ackport-fix-for-go-Host-header-check.patch | 270 ++++++++++++++++++
>> 1 file changed, 270 insertions(+)
>> create mode 100644 package/docker-cli/0001-backport-fix-for-go-Host-header-check.patch
>>
>> diff --git a/package/docker-cli/0001-backport-fix-for-go-Host-header-check.patch b/package/docker-cli/0001-backport-fix-for-go-Host-header-check.patch
>> new file mode 100644
>> index 0000000000..2d16fd6df2
>> --- /dev/null
>> +++ b/package/docker-cli/0001-backport-fix-for-go-Host-header-check.patch
>> @@ -0,0 +1,270 @@
>> +From 4dc783e2bdf414761ef7c209b435d0a30f17c858 Mon Sep 17 00:00:00 2001
>> +From: Sebastiaan van Stijn <github@gone.nl>
>> +Date: Sat, 15 Jul 2023 02:22:10 +0200
>> +Subject: [PATCH] backport fix for go Host header check
>> +
>> +Go 1.20.6 and 1.19.11 include a security check of the http Host header:
>> +
>> + https://github.com/golang/go/issues/60374
>> +
>> +docker-cli fails this check:
>> +
>> + $ docker exec -it ctr bash
>> + http: invalid Host header
>> +
>> +This is a backported patch to fix this issue.
>> +
>> +Issue: https://github.com/moby/moby/issues/45935
>> +Upstream PR: https://github.com/moby/moby/pull/45942
>> +
>> +The upstream PR has been merged and will be included in v24.0.5.
>> +
>> +Signed-off-by: Christian Stewart <christian@aperture.us>
>> +
>> +---
>> +
>> +For local communications (npipe://, unix://), the hostname is not used,
>> +but we need valid and meaningful hostname.
>> +
>> +The current code used the socket path as hostname, which gets rejected by
>> +go1.20.6 and go1.19.11 because of a security fix for [CVE-2023-29406 ][1],
>> +which was implemented in https://go.dev/issue/60374.
>> +
>> +Prior versions go Go would clean the host header, and strip slashes in the
>> +process, but go1.20.6 and go1.19.11 no longer do, and reject the host
>> +header.
>> +---
>> + vendor.mod | 16 +++++-----
>> + vendor.sum | 32 +++++++++----------
Do we really need the changes to vendor.mod / vendor.sum? They didn't
apply to 23.0.5 here, so I dropped those hunks.
Committed with that fixed to 2023.02.x and 2023.05.x, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2023-09-06 19:01 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-07-17 4:10 [Buildroot] [PATCH v1 1/2] package/docker-engine: backport fix for host header check Christian Stewart via buildroot
2023-07-17 4:10 ` [Buildroot] [PATCH v1 2/2] package/docker-cli: " Christian Stewart via buildroot
2023-07-21 5:50 ` TIAN Yuanhao
2023-09-06 19:01 ` Peter Korsgaard
2023-07-21 5:51 ` [Buildroot] [PATCH v1 1/2] package/docker-engine: " TIAN Yuanhao
2023-09-06 19:00 ` Peter Korsgaard
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).