Remove hack MalformedHostHeaderOverride
This hack was added to fix a compatibility with clients
that were built using Go 1.5 and older (added in 3d6f5984f5)
This hack causes some problems with current clients; with Go 1.5 and older
no longer being supported for some time, and being several years old, it
should now be ok to remove this hack altogether.
People using tools that are built with those versions of Go wouldn't have
updated those for years, and are probably out of date anyway; that's not
something we can continue taking into account.
This will affect docker clients (the docker cli) for docker 1.12 and older.
Those versions have reached EOL a long time ago (and have known unpatched
vulnerabilities), so should no longer be used anyway, but We should add
a nebtuib in the release notes, just in case someone, somewhere, still
has such old tools.
For those affected, using a more recent client (and if needed, setting
the DOCKER_API_VERSION environment variable to the needed API version)
should provide a way out.
This reverts the changes originally made in; #22000 and #22888,
which were to address #20865.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This commit is contained in:
Sebastiaan van Stijn
parent
9b67b40e1a
commit
f6b1f01de3
|
|
@ -641,7 +641,6 @@ func loadListeners(cli *DaemonCli, serverConfig *apiserver.Config) ([]string, er
|
|||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
ls = wrapListeners(proto, ls)
|
||||
// If we're binding to a TCP port, make sure that a container doesn't try to use it.
|
||||
if proto == "tcp" {
|
||||
if err := allocateDaemonPort(addr); err != nil {
|
||||
|
|
|
|||
|
|
@ -13,7 +13,6 @@ import (
|
|||
"time"
|
||||
|
||||
"github.com/containerd/containerd/runtime/v1/linux"
|
||||
"github.com/docker/docker/cmd/dockerd/hack"
|
||||
"github.com/docker/docker/daemon"
|
||||
"github.com/docker/docker/daemon/config"
|
||||
"github.com/docker/docker/libcontainerd/supervisor"
|
||||
|
|
@ -122,18 +121,6 @@ func allocateDaemonPort(addr string) error {
|
|||
return nil
|
||||
}
|
||||
|
||||
func wrapListeners(proto string, ls []net.Listener) []net.Listener {
|
||||
switch proto {
|
||||
case "unix":
|
||||
ls[0] = &hack.MalformedHostHeaderOverride{Listener: ls[0]}
|
||||
case "fd":
|
||||
for i := range ls {
|
||||
ls[i] = &hack.MalformedHostHeaderOverride{Listener: ls[i]}
|
||||
}
|
||||
}
|
||||
return ls
|
||||
}
|
||||
|
||||
func newCgroupParent(config *config.Config) string {
|
||||
cgroupParent := "docker"
|
||||
useSystemd := daemon.UsingSystemd(config)
|
||||
|
|
|
|||
|
|
@ -3,7 +3,6 @@ package main
|
|||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
"net"
|
||||
"os"
|
||||
"path/filepath"
|
||||
"time"
|
||||
|
|
@ -86,10 +85,6 @@ func allocateDaemonPort(addr string) error {
|
|||
return nil
|
||||
}
|
||||
|
||||
func wrapListeners(proto string, ls []net.Listener) []net.Listener {
|
||||
return ls
|
||||
}
|
||||
|
||||
func newCgroupParent(config *config.Config) string {
|
||||
return ""
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,121 +0,0 @@
|
|||
// +build !windows
|
||||
|
||||
package hack // import "github.com/docker/docker/cmd/dockerd/hack"
|
||||
|
||||
import "net"
|
||||
|
||||
// MalformedHostHeaderOverride is a wrapper to be able
|
||||
// to overcome the 400 Bad request coming from old docker
|
||||
// clients that send an invalid Host header.
|
||||
type MalformedHostHeaderOverride struct {
|
||||
net.Listener
|
||||
}
|
||||
|
||||
// MalformedHostHeaderOverrideConn wraps the underlying unix
|
||||
// connection and keeps track of the first read from http.Server
|
||||
// which just reads the headers.
|
||||
type MalformedHostHeaderOverrideConn struct {
|
||||
net.Conn
|
||||
first bool
|
||||
}
|
||||
|
||||
var closeConnHeader = []byte("\r\nConnection: close\r")
|
||||
|
||||
// Read reads the first *read* request from http.Server to inspect
|
||||
// the Host header. If the Host starts with / then we're talking to
|
||||
// an old docker client which send an invalid Host header. To not
|
||||
// error out in http.Server we rewrite the first bytes of the request
|
||||
// to sanitize the Host header itself.
|
||||
// In case we're not dealing with old docker clients the data is just passed
|
||||
// to the server w/o modification.
|
||||
func (l *MalformedHostHeaderOverrideConn) Read(b []byte) (n int, err error) {
|
||||
// http.Server uses a 4k buffer
|
||||
if l.first && len(b) == 4096 {
|
||||
// This keeps track of the first read from http.Server which just reads
|
||||
// the headers
|
||||
l.first = false
|
||||
// The first read of the connection by http.Server is done limited to
|
||||
// DefaultMaxHeaderBytes (usually 1 << 20) + 4096.
|
||||
// Here we do the first read which gets us all the http headers to
|
||||
// be inspected and modified below.
|
||||
c, err := l.Conn.Read(b)
|
||||
if err != nil {
|
||||
return c, err
|
||||
}
|
||||
|
||||
var (
|
||||
start, end int
|
||||
firstLineFeed = -1
|
||||
buf []byte
|
||||
)
|
||||
for i := 0; i <= c-1-7; i++ {
|
||||
if b[i] == '\n' && firstLineFeed == -1 {
|
||||
firstLineFeed = i
|
||||
}
|
||||
if b[i] != '\n' {
|
||||
continue
|
||||
}
|
||||
|
||||
if b[i+1] == '\r' && b[i+2] == '\n' {
|
||||
return c, nil
|
||||
}
|
||||
|
||||
if b[i+1] != 'H' {
|
||||
continue
|
||||
}
|
||||
if b[i+2] != 'o' {
|
||||
continue
|
||||
}
|
||||
if b[i+3] != 's' {
|
||||
continue
|
||||
}
|
||||
if b[i+4] != 't' {
|
||||
continue
|
||||
}
|
||||
if b[i+5] != ':' {
|
||||
continue
|
||||
}
|
||||
if b[i+6] != ' ' {
|
||||
continue
|
||||
}
|
||||
if b[i+7] != '/' {
|
||||
continue
|
||||
}
|
||||
// ensure clients other than the docker clients do not get this hack
|
||||
if i != firstLineFeed {
|
||||
return c, nil
|
||||
}
|
||||
start = i + 7
|
||||
// now find where the value ends
|
||||
for ii, bbb := range b[start:c] {
|
||||
if bbb == '\n' {
|
||||
end = start + ii
|
||||
break
|
||||
}
|
||||
}
|
||||
buf = make([]byte, 0, c+len(closeConnHeader)-(end-start))
|
||||
// strip the value of the host header and
|
||||
// inject `Connection: close` to ensure we don't reuse this connection
|
||||
buf = append(buf, b[:start]...)
|
||||
buf = append(buf, closeConnHeader...)
|
||||
buf = append(buf, b[end:c]...)
|
||||
copy(b, buf)
|
||||
break
|
||||
}
|
||||
if len(buf) == 0 {
|
||||
return c, nil
|
||||
}
|
||||
return len(buf), nil
|
||||
}
|
||||
return l.Conn.Read(b)
|
||||
}
|
||||
|
||||
// Accept makes the listener accepts connections and wraps the connection
|
||||
// in a MalformedHostHeaderOverrideConn initializing first to true.
|
||||
func (l *MalformedHostHeaderOverride) Accept() (net.Conn, error) {
|
||||
c, err := l.Listener.Accept()
|
||||
if err != nil {
|
||||
return c, err
|
||||
}
|
||||
return &MalformedHostHeaderOverrideConn{c, true}, nil
|
||||
}
|
||||
|
|
@ -1,124 +0,0 @@
|
|||
// +build !windows
|
||||
|
||||
package hack // import "github.com/docker/docker/cmd/dockerd/hack"
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"io"
|
||||
"net"
|
||||
"strings"
|
||||
"testing"
|
||||
)
|
||||
|
||||
type bufConn struct {
|
||||
net.Conn
|
||||
buf *bytes.Buffer
|
||||
}
|
||||
|
||||
func (bc *bufConn) Read(b []byte) (int, error) {
|
||||
return bc.buf.Read(b)
|
||||
}
|
||||
|
||||
func TestHeaderOverrideHack(t *testing.T) {
|
||||
tests := [][2][]byte{
|
||||
{
|
||||
[]byte("GET /foo\nHost: /var/run/docker.sock\nUser-Agent: Docker\r\n\r\n"),
|
||||
[]byte("GET /foo\nHost: \r\nConnection: close\r\nUser-Agent: Docker\r\n\r\n"),
|
||||
},
|
||||
{
|
||||
[]byte("GET /foo\nHost: /var/run/docker.sock\nUser-Agent: Docker\nFoo: Bar\r\n"),
|
||||
[]byte("GET /foo\nHost: \r\nConnection: close\r\nUser-Agent: Docker\nFoo: Bar\r\n"),
|
||||
},
|
||||
{
|
||||
[]byte("GET /foo\nHost: /var/run/docker.sock\nUser-Agent: Docker\r\n\r\ntest something!"),
|
||||
[]byte("GET /foo\nHost: \r\nConnection: close\r\nUser-Agent: Docker\r\n\r\ntest something!"),
|
||||
},
|
||||
{
|
||||
[]byte("GET /foo\nHost: /var/run/docker.sock\nUser-Agent: Docker\r\n\r\ntest something! " + strings.Repeat("test", 15000)),
|
||||
[]byte("GET /foo\nHost: \r\nConnection: close\r\nUser-Agent: Docker\r\n\r\ntest something! " + strings.Repeat("test", 15000)),
|
||||
},
|
||||
{
|
||||
[]byte("GET /foo\nFoo: Bar\nHost: /var/run/docker.sock\nUser-Agent: Docker\r\n\r\n"),
|
||||
[]byte("GET /foo\nFoo: Bar\nHost: /var/run/docker.sock\nUser-Agent: Docker\r\n\r\n"),
|
||||
},
|
||||
}
|
||||
|
||||
// Test for https://github.com/docker/docker/issues/23045
|
||||
h0 := "GET /foo\nUser-Agent: Docker\r\n\r\n"
|
||||
h0 = h0 + strings.Repeat("a", 4096-len(h0)-1) + "\n"
|
||||
tests = append(tests, [2][]byte{[]byte(h0), []byte(h0)})
|
||||
|
||||
for _, pair := range tests {
|
||||
read := make([]byte, 4096)
|
||||
client := &bufConn{
|
||||
buf: bytes.NewBuffer(pair[0]),
|
||||
}
|
||||
l := MalformedHostHeaderOverrideConn{client, true}
|
||||
|
||||
n, err := l.Read(read)
|
||||
if err != nil && err != io.EOF {
|
||||
t.Fatalf("read: %d - %d, err: %v\n%s", n, len(pair[0]), err, string(read[:n]))
|
||||
}
|
||||
if !bytes.Equal(read[:n], pair[1][:n]) {
|
||||
t.Fatalf("\n%s\n%s\n", read[:n], pair[1][:n])
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func BenchmarkWithHack(b *testing.B) {
|
||||
client, srv := net.Pipe()
|
||||
done := make(chan struct{})
|
||||
req := []byte("GET /foo\nHost: /var/run/docker.sock\nUser-Agent: Docker\n")
|
||||
read := make([]byte, 4096)
|
||||
b.SetBytes(int64(len(req) * 30))
|
||||
|
||||
l := MalformedHostHeaderOverrideConn{client, true}
|
||||
go func() {
|
||||
for {
|
||||
if _, err := srv.Write(req); err != nil {
|
||||
srv.Close()
|
||||
break
|
||||
}
|
||||
l.first = true // make sure each subsequent run uses the hack parsing
|
||||
}
|
||||
close(done)
|
||||
}()
|
||||
|
||||
for i := 0; i < b.N; i++ {
|
||||
for i := 0; i < 30; i++ {
|
||||
if n, err := l.Read(read); err != nil && err != io.EOF {
|
||||
b.Fatalf("read: %d - %d, err: %v\n%s", n, len(req), err, string(read[:n]))
|
||||
}
|
||||
}
|
||||
}
|
||||
l.Close()
|
||||
<-done
|
||||
}
|
||||
|
||||
func BenchmarkNoHack(b *testing.B) {
|
||||
client, srv := net.Pipe()
|
||||
done := make(chan struct{})
|
||||
req := []byte("GET /foo\nHost: /var/run/docker.sock\nUser-Agent: Docker\n")
|
||||
read := make([]byte, 4096)
|
||||
b.SetBytes(int64(len(req) * 30))
|
||||
|
||||
go func() {
|
||||
for {
|
||||
if _, err := srv.Write(req); err != nil {
|
||||
srv.Close()
|
||||
break
|
||||
}
|
||||
}
|
||||
close(done)
|
||||
}()
|
||||
|
||||
for i := 0; i < b.N; i++ {
|
||||
for i := 0; i < 30; i++ {
|
||||
if _, err := client.Read(read); err != nil && err != io.EOF {
|
||||
b.Fatal(err)
|
||||
}
|
||||
}
|
||||
}
|
||||
client.Close()
|
||||
<-done
|
||||
}
|
||||
Loading…
Reference in New Issue