net/http: sensitive headers incorrectly sent after cross-domain redirect [CVE-2024-45336] #70530
Description
The HTTP client drops sensitive headers after following a cross-domain redirect.
For example, a request to a.com/ containing an Authorization header which is
redirected to b.com/ will not send that header to b.com.
In the event that the client received a subsequent same-domain redirect, however,
the sensitive headers would be restored. For example, a chain of redirects from
a.com/, to b.com/1, and finally to b.com/2 would incorrectly send the Authorization
header to b.com/2.
Thanks to Kyle Seely for reporting this issue.
This is CVE-2024-45336.
Tracked in http://b/379881954 and fixed by https://go-internal-review.git.corp.google.com/c/go/+/1641.
/cc @golang/security and @golang/release