net/http: sensitive headers incorrectly sent after cross-domain redirect [CVE-2024-45336]

[neild]

The HTTP client drops sensitive headers after following a cross-domain redirect.
For example, a request to a.com/ containing an Authorization header which is
redirected to b.com/ will not send that header to b.com.

In the event that the client received a subsequent same-domain redirect, however,
the sensitive headers would be restored. For example, a chain of redirects from
a.com/, to b.com/1, and finally to b.com/2 would incorrectly send the Authorization
header to b.com/2.

Thanks to Kyle Seely for reporting this issue.

This is CVE-2024-45336.

Tracked in http://b/379881954 and fixed by https://go-internal-review.git.corp.google.com/c/go/+/1641.

/cc @golang/security and @golang/release

[gabyhelp]

Related Issues

• security: fix CVE-2024-34157 #69140 (closed)
• security: fix CVE-2023-39324 #63212 (closed)
• security: fix CVE-2023-45288 #66297 (closed)

Related Code Changes

• doc: suggest security@golang.org for reporting security issues

_{(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)}

[neild]

@gopherbot please open backport issues for 1.22, 1.23, and 1.24

[gopherbot]

Backport issue(s) opened: #71210 (for 1.22), #71211 (for 1.23), #71212 (for 1.24).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

[gopherbot]

Change https://go.dev/cl/643095 mentions this issue: net/http: persist header stripping across repeated redirects

[gopherbot]

Change https://go.dev/cl/643104 mentions this issue: [release-branch.go1.23] net/http: persist header stripping across repeated redirects

[gopherbot]

Change https://go.dev/cl/643106 mentions this issue: [release-branch.go1.22] net/http: persist header stripping across repeated redirects

[gopherbot]

Change https://go.dev/cl/643100 mentions this issue: net/http: persist header stripping across repeated redirects