From 63727cc58253c59c71cf8491bb4d7448990d63b8 Mon Sep 17 00:00:00 2001
From: Damien Neil <dneil@google.com>
Date: Wed, 28 Jun 2023 13:18:36 -0700
Subject: [PATCH] http2: validate Host header before sending

Verify that the Host header we send is valid.
Avoids sending a request that the server will reject,
possibly sending us into a retry loop.

No test in this CL, but this will be covered by the net/http
test added in CL 506996.

For golang/go#60374

Change-Id: I78867eb05293ad8ca1b02bc22fb626760949d4b8
Reviewed-on: https://go-review.googlesource.com/c/net/+/506995
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Damien Neil <dneil@google.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
---
 http2/transport.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/http2/transport.go b/http2/transport.go
index 4f08ccba9..da53e83cb 100644
--- a/http2/transport.go
+++ b/http2/transport.go
@@ -1880,6 +1880,9 @@ func (cc *ClientConn) encodeHeaders(req *http.Request, addGzipHeader bool, trail
 	if err != nil {
 		return nil, err
 	}
+	if !httpguts.ValidHostHeader(host) {
+		return nil, errors.New("http2: invalid Host header")
+	}
 
 	var path string
 	if req.Method != "CONNECT" {