net/http: permit incoming CONNECT requests without Host headers

Apparently they exist in the wild. See:
#18215 (comment)
(Facebook / iOS)

Fixes #18215

Change-Id: I9ddad3896b5d784cb3f5b3ee9c6819081a4a2702
Reviewed-on: https://go-review.googlesource.com/44004
Run-TryBot: Brad Fitzpatrick <[email protected]>
TryBot-Result: Gobot Gobot <[email protected]>
Reviewed-by: Matt Layher <[email protected]>
Reviewed-by: Brad Fitzpatrick <[email protected]>

Author: bradfitz

src/net/http/serve_test.go

@@ -4358,6 +4358,9 @@ func TestServerValidatesHostHeader(t *testing.T) {
 		// Make an exception for HTTP upgrade requests:
 		{"PRI * HTTP/2.0", "", 200},
 
+		// Also an exception for CONNECT requests: (Issue 18215)
+		{"CONNECT golang.org:443 HTTP/1.1", "", 200},
+
 		// But not other HTTP/2 stuff:
 		{"PRI / HTTP/2.0", "", 400},
 		{"GET / HTTP/2.0", "", 400},

src/net/http/server.go

@@ -943,7 +943,7 @@ func (c *conn) readRequest(ctx context.Context) (w *response, err error) {
 
 	hosts, haveHost := req.Header["Host"]
 	isH2Upgrade := req.isH2Upgrade()
-	if req.ProtoAtLeast(1, 1) && (!haveHost || len(hosts) == 0) && !isH2Upgrade {
+	if req.ProtoAtLeast(1, 1) && (!haveHost || len(hosts) == 0) && !isH2Upgrade && req.Method != "CONNECT" {
 		return nil, badRequestError("missing required Host header")
 	}
 	if len(hosts) > 1 {