diff options
author | Damien Neil <dneil@google.com> | 2022-06-17 10:09:45 -0700 |
---|---|---|
committer | Michael Knyszek <mknyszek@google.com> | 2022-07-12 14:51:53 +0000 |
commit | ebea1e3353fa766025aa5190b9c7cc05cf069187 (patch) | |
tree | 8780a4d06a878f204c4b64b0575cc00a0d816537 | |
parent | 222ee24a0046ae61679f4d97967e3b4058a3b90e (diff) | |
download | go-ebea1e3353fa766025aa5190b9c7cc05cf069187.tar.gz go-ebea1e3353fa766025aa5190b9c7cc05cf069187.zip |
[release-branch.go1.18] net/http: preserve nil values in Header.Clone
ReverseProxy makes a distinction between nil and zero-length header values.
Avoid losing nil-ness when cloning a request.
Thanks to Christian Mehlmauer for discovering this.
For #53423
For CVE-2022-32148
Fixes #53621
Change-Id: Ice369cdb4712e2d62e25bb881b080847aa4801f5
Reviewed-on: https://go-review.googlesource.com/c/go/+/412857
Reviewed-by: Ian Lance Taylor <iant@google.com>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
(cherry picked from commit b2cc0fecc2ccd80e6d5d16542cc684f97b3a9c8a)
Reviewed-on: https://go-review.googlesource.com/c/go/+/415222
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Michael Knyszek <mknyszek@google.com>
Reviewed-by: Heschi Kreinick <heschi@google.com>
Run-TryBot: Heschi Kreinick <heschi@google.com>
Reviewed-by: Michael Knyszek <mknyszek@google.com>
-rw-r--r-- | src/net/http/header.go | 6 | ||||
-rw-r--r-- | src/net/http/header_test.go | 5 |
2 files changed, 11 insertions, 0 deletions
diff --git a/src/net/http/header.go b/src/net/http/header.go index 6487e5025d..6437f2d2c0 100644 --- a/src/net/http/header.go +++ b/src/net/http/header.go @@ -103,6 +103,12 @@ func (h Header) Clone() Header { sv := make([]string, nv) // shared backing array for headers' values h2 := make(Header, len(h)) for k, vv := range h { + if vv == nil { + // Preserve nil values. ReverseProxy distinguishes + // between nil and zero-length header values. + h2[k] = nil + continue + } n := copy(sv, vv) h2[k] = sv[:n:n] sv = sv[n:] diff --git a/src/net/http/header_test.go b/src/net/http/header_test.go index 57d16f51a5..0b13d311ac 100644 --- a/src/net/http/header_test.go +++ b/src/net/http/header_test.go @@ -248,6 +248,11 @@ func TestCloneOrMakeHeader(t *testing.T) { in: Header{"foo": {"bar"}}, want: Header{"foo": {"bar"}}, }, + { + name: "nil value", + in: Header{"foo": nil}, + want: Header{"foo": nil}, + }, } for _, tt := range tests { |