Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

net/http/httputil: ReverseProxy forwards Connection headers if first one is empty [1.15 backport] #46314

Closed
gopherbot opened this issue May 21, 2021 · 3 comments
Closed

net/http/httputil: ReverseProxy forwards Connection headers if first one is empty [1.15 backport] #46314

gopherbot opened this issue May 21, 2021 · 3 comments
Labels
CherryPickApproved Used during the release process for point releases FrozenDueToAge release-blocker Security
Milestone
Go1.15.13

Comments

@gopherbot
Copy link
Contributor

@FiloSottile requested issue #46313 to be considered for backport to the next 1.15 minor release.

@gopherbot please open backport issues for this, according to the security policy.
@gopherbot gopherbot added the CherryPickCandidate Used during the release process for point releases label May 21, 2021
@gopherbot gopherbot mentioned this issue May 21, 2021
Closed
@gopherbot gopherbot added this to the Go1.15.13 milestone May 21, 2021
@dmitshur dmitshur mentioned this issue May 21, 2021
Closed
@dmitshur
Copy link
Contributor

Approving as a fix for a security issue. This backport applies to both 1.16 (#46315) and 1.15 (this issue).

@dmitshur dmitshur added CherryPickApproved Used during the release process for point releases Security and removed CherryPickCandidate Used during the release process for point releases labels May 21, 2021
@gopherbot
Copy link
Contributor Author

Change https://golang.org/cl/323091 mentions this issue: [release-branch.go1.15] net/http/httputil: always remove hop-by-hop headers

@gopherbot
Copy link
Contributor Author

Closed by merging cbd1ca8 to release-branch.go1.15.

gopherbot pushed a commit that referenced this issue May 28, 2021
@FiloSottile @katiehockman
[release-branch.go1.15] net/http/httputil: always remove hop-by-hop h…
cbd1ca8 
…eaders

Previously, we'd fail to remove the Connection header from a request
like this:

    Connection:
    Connection: x-header

Updates #46313
Fixes #46314
Fixes CVE-2021-33197

Change-Id: Ie3009e926ceecfa86dfa6bcc6fe14ff01086be7d
Reviewed-on: https://go-review.googlesource.com/c/go/+/321929
Run-TryBot: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Katie Hockman <katie@golang.org>
Trust: Katie Hockman <katie@golang.org>
Trust: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-on: https://go-review.googlesource.com/c/go/+/323091
Run-TryBot: Katie Hockman <katie@golang.org>
@golang golang locked and limited conversation to collaborators May 28, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
CherryPickApproved Used during the release process for point releases FrozenDueToAge release-blocker Security
Projects
None yet
Milestone
Go1.15.13
Development

No branches or pull requests
3 participants
@FiloSottile @dmitshur @gopherbot