Merge branch 'release/1.15.x' into backport/nfi-hashicorp-patch-1/unl…

…ikely-loving-bear
hashicorp · Jul 17, 2023 · 59a7fcf · 59a7fcf
2 parents 6141900 + e17c8f7
commit 59a7fcf
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 8 deletions.
diff --git a/.github/workflows/go-tests.yml b/.github/workflows/go-tests.yml
@@ -376,7 +376,7 @@ jobs:
       runs-on: ${{ needs.setup.outputs.compute-xl }}
       repository-name: ${{ github.repository }}
       go-tags: "${{ github.event.repository.name == 'consul-enterprise' && 'consulent consulprem consuldev' || '' }}"
-      go-version: "1.19.10"
+      go-version: "1.19"
     permissions:
       id-token: write # NOTE: this permission is explicitly required for Vault auth.
       contents: read
@@ -395,12 +395,7 @@ jobs:
       runs-on: ${{ needs.setup.outputs.compute-xl }}
       repository-name: ${{ github.repository }}
       go-tags: "${{ github.event.repository.name == 'consul-enterprise' && 'consulent consulprem consuldev' || '' }}"
-      # pinning this to 1.20.5 because this issue in go-testcontainers occurs
-      # in 1.20.6 with the error "http: invalid Host header, host port waiting failed"
-      # https://github.com/testcontainers/testcontainers-go/issues/1359
-      # remove setting this when the above issue is fixed so that the reusable
-      # job will just get the go version from go.mod.
-      go-version: "1.20.5"
+      go-version: "1.20"
     permissions:
       id-token: write # NOTE: this permission is explicitly required for Vault auth.
       contents: read
@@ -438,6 +433,7 @@ jobs:
       runs-on: ${{ needs.setup.outputs.compute-xl }}
       repository-name: ${{ github.repository }}
       go-tags: "${{ github.event.repository.name == 'consul-enterprise' && 'consulent consulprem consuldev' || '' }}"
+      go-version: "1.20"
     permissions:
       id-token: write # NOTE: this permission is explicitly required for Vault auth.
       contents: read

diff --git a/api/api.go b/api/api.go
@@ -984,6 +984,17 @@ func (r *request) toHTTP() (*http.Request, error) {
 		return nil, err
 	}
 
+	// validate that socket communications that do not use the host, detect
+	// slashes in the host name and replace it with local host.
+	// this is required since go started validating req.host in 1.20.6 and 1.19.11.
+	// prior to that they would strip out the slashes for you.  They removed that
+	// behavior and added more strict validation as part of a CVE.
+	// https://github.com/golang/go/issues/60374
+	// the hope is that
+	if strings.HasPrefix(r.url.Host, "/") {
+		r.url.Host = "localhost"
+	}
+
 	req.URL.Host = r.url.Host
 	req.URL.Scheme = r.url.Scheme
 	req.Host = r.url.Host

diff --git a/website/content/docs/agent/config/config-files.mdx b/website/content/docs/agent/config/config-files.mdx
@@ -739,7 +739,7 @@ Refer to the [formatting specification](https://golang.org/pkg/time/#ParseDurati
 - `server_rejoin_age_max` - controls the allowed maximum age of a stale server attempting to rejoin a cluster.
   If a server is not running for this period, then it will refuse to start up again until an operator intervenes. This is to protect
   clusters from instability caused by decommissioned servers accidentally being started again.
-  Note: the default value is 7d and the minimum value is 6h.
+  Note: the default value is 168h (equal to 7d) and the minimum value is 6h.
 
 - `non_voting_server` - **This field is deprecated in Consul 1.9.1. See the [`read_replica`](#read_replica) field instead.**