diff options
author | Damien Neil <dneil@google.com> | 2022-06-17 10:09:45 -0700 |
---|---|---|
committer | Michael Knyszek <mknyszek@google.com> | 2022-07-12 14:51:39 +0000 |
commit | ed2f33e1a7e0d18f61bd56f7ee067331d612c27e (patch) | |
tree | 05aa27116d8aa4c9de81ac6e53dabe4741f21052 | |
parent | d13431c37ab62f9755f705731536ff74e7165b08 (diff) | |
download | go-ed2f33e1a7e0d18f61bd56f7ee067331d612c27e.tar.gz go-ed2f33e1a7e0d18f61bd56f7ee067331d612c27e.zip |
[release-branch.go1.17] net/http: preserve nil values in Header.Clone
ReverseProxy makes a distinction between nil and zero-length header values.
Avoid losing nil-ness when cloning a request.
Thanks to Christian Mehlmauer for discovering this.
For #53423
For CVE-2022-32148
Fixes #53620
Change-Id: Ice369cdb4712e2d62e25bb881b080847aa4801f5
Reviewed-on: https://go-review.googlesource.com/c/go/+/412857
Reviewed-by: Ian Lance Taylor <iant@google.com>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
(cherry picked from commit b2cc0fecc2ccd80e6d5d16542cc684f97b3a9c8a)
Reviewed-on: https://go-review.googlesource.com/c/go/+/415221
Reviewed-by: Heschi Kreinick <heschi@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Michael Knyszek <mknyszek@google.com>
Run-TryBot: Heschi Kreinick <heschi@google.com>
Reviewed-by: Michael Knyszek <mknyszek@google.com>
-rw-r--r-- | src/net/http/header.go | 6 | ||||
-rw-r--r-- | src/net/http/header_test.go | 5 |
2 files changed, 11 insertions, 0 deletions
diff --git a/src/net/http/header.go b/src/net/http/header.go index 4c72dcb2c8..ef4ee7ffa8 100644 --- a/src/net/http/header.go +++ b/src/net/http/header.go @@ -101,6 +101,12 @@ func (h Header) Clone() Header { sv := make([]string, nv) // shared backing array for headers' values h2 := make(Header, len(h)) for k, vv := range h { + if vv == nil { + // Preserve nil values. ReverseProxy distinguishes + // between nil and zero-length header values. + h2[k] = nil + continue + } n := copy(sv, vv) h2[k] = sv[:n:n] sv = sv[n:] diff --git a/src/net/http/header_test.go b/src/net/http/header_test.go index 4789362919..80c003551d 100644 --- a/src/net/http/header_test.go +++ b/src/net/http/header_test.go @@ -235,6 +235,11 @@ func TestCloneOrMakeHeader(t *testing.T) { in: Header{"foo": {"bar"}}, want: Header{"foo": {"bar"}}, }, + { + name: "nil value", + in: Header{"foo": nil}, + want: Header{"foo": nil}, + }, } for _, tt := range tests { |