Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
net/http, net/http/cgi: fix HTTP_PROXY security issue #16405
That means Go programs running in a CGI environment (as a child process under a CGI host) are vulnerable to an incoming request containing "Proxy: attacker.com:1234", setting HTTP_PROXY, and changing where Go by default proxies all outbound HTTP requests.
This is CVE-2016-5386, aka https://httpoxy.org/
The fix is at https://golang.org/cl/25010, which addressed both sides:
Sadly, in a past life I wrote and maintained http://search.cpan.org/~bradfitz/LWPx-ParanoidAgent/lib/LWPx/ParanoidAgent.pm to protect against attacks like this bug, but never considered this case :(