diff options
Diffstat (limited to '1004-CVE-2025-4673-net-http-strip-sensitive-proxy-headers.patch')
| -rw-r--r-- | 1004-CVE-2025-4673-net-http-strip-sensitive-proxy-headers.patch | 67 |
1 files changed, 0 insertions, 67 deletions
diff --git a/1004-CVE-2025-4673-net-http-strip-sensitive-proxy-headers.patch b/1004-CVE-2025-4673-net-http-strip-sensitive-proxy-headers.patch deleted file mode 100644 index 44a575b..0000000 --- a/1004-CVE-2025-4673-net-http-strip-sensitive-proxy-headers.patch +++ /dev/null @@ -1,67 +0,0 @@ -From 709fda0a42b8ffde78136af52e02f260622926fa Mon Sep 17 00:00:00 2001 -From: Neal Patel <nealpatel@google.com> -Date: Wed, 21 May 2025 14:11:44 -0400 -Subject: [PATCH] net/http: strip sensitive proxy headers from redirect - requests - -Similarly to Authentication entries, Proxy-Authentication entries should be stripped to ensure sensitive information is not leaked on redirects outside of the original domain. - -https://fetch.spec.whatwg.org/#authentication-entries - -Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for reporting this issue. - -Updates golang/go#73816 -Fixes golang/go#73905 -Fixes CVE-2025-4673 - -Confict: no -Reference:https://go-review.googlesource.com/c/go/+/679255 - -Change-Id: I1615f31977a2fd014fbc12aae43f82692315a6d0 -Reviewed-on: https://go-review.googlesource.com/c/go/+/679255 -LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> -Reviewed-by: Michael Knyszek <mknyszek@google.com> -Signed-off-by: jichao wu <wujichao1@huawei.com> ---- - src/net/http/client.go | 3 ++- - src/net/http/client_test.go | 3 +++ - 2 files changed, 5 insertions(+), 1 deletion(-) - -diff --git a/src/net/http/client.go b/src/net/http/client.go -index 9231f63..a814cf3 100644 ---- a/src/net/http/client.go -+++ b/src/net/http/client.go -@@ -805,7 +805,8 @@ func (c *Client) makeHeadersCopier(ireq *Request) func(req *Request, stripSensit - for k, vv := range ireqhdr { - sensitive := false - switch CanonicalHeaderKey(k) { -- case "Authorization", "Www-Authenticate", "Cookie", "Cookie2": -+ case "Authorization", "Www-Authenticate", "Cookie", "Cookie2", -+ "Proxy-Authorization", "Proxy-Authenticate": - sensitive = true - } - if !(sensitive && stripSensitiveHeaders) { -diff --git a/src/net/http/client_test.go b/src/net/http/client_test.go -index 1ce9539..8ab4f58 100644 ---- a/src/net/http/client_test.go -+++ b/src/net/http/client_test.go -@@ -1547,6 +1547,8 @@ func testClientStripHeadersOnRepeatedRedirect(t *testing.T, mode testMode) { - if r.Host+r.URL.Path != "a.example.com/" { - if h := r.Header.Get("Authorization"); h != "" { - t.Errorf("on request to %v%v, Authorization=%q, want no header", r.Host, r.URL.Path, h) -+ } else if h := r.Header.Get("Proxy-Authorization"); h != "" { -+ t.Errorf("on request to %v%v, Proxy-Authorization=%q, want no header", r.Host, r.URL.Path, h) - } - } - // Follow a chain of redirects from a to b and back to a. -@@ -1575,6 +1577,7 @@ func testClientStripHeadersOnRepeatedRedirect(t *testing.T, mode testMode) { - req, _ := NewRequest("GET", proto+"://a.example.com/", nil) - req.Header.Add("Cookie", "foo=bar") - req.Header.Add("Authorization", "secretpassword") -+ req.Header.Add("Proxy-Authorization", "secretpassword") - res, err := c.Do(req) - if err != nil { - t.Fatal(err) --- -2.33.0 - |