diff options
author | Brad Fitzpatrick <bradfitz@golang.org> | 2016-07-18 06:05:24 +0000 |
---|---|---|
committer | Chris Broadfoot <cbro@golang.org> | 2016-07-18 15:13:06 +0000 |
commit | cad4e97af8f2e0b9f09b97f67fb3a89ced2e9021 (patch) | |
tree | fb24b2f2ebc41e265ea34f318d6dfe6fcd525651 /VERSION | |
parent | 53da5fd4d431881bb3583c9790db7735a6530a1b (diff) | |
download | go-cad4e97af8f2e0b9f09b97f67fb3a89ced2e9021.tar.gz go-cad4e97af8f2e0b9f09b97f67fb3a89ced2e9021.zip |
[release-branch.go1.7] net/http, net/http/cgi: fix for CGI + HTTP_PROXY security issue
Because,
* The CGI spec defines that incoming request header "Foo: Bar" maps to
environment variable HTTP_FOO == "Bar". (see RFC 3875 4.1.18)
* The HTTP_PROXY environment variable is conventionally used to configure
the HTTP proxy for HTTP clients (and is respected by default for
Go's net/http.Client and Transport)
That means Go programs running in a CGI environment (as a child
process under a CGI host) are vulnerable to an incoming request
containing "Proxy: attacker.com:1234", setting HTTP_PROXY, and
changing where Go by default proxies all outbound HTTP requests.
This is CVE-2016-5386, aka https://httpoxy.org/
Fixes #16405
Change-Id: I6f68ade85421b4807785799f6d98a8b077e871f0
Reviewed-on: https://go-review.googlesource.com/25010
Run-TryBot: Chris Broadfoot <cbro@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Chris Broadfoot <cbro@golang.org>
Reviewed-on: https://go-review.googlesource.com/25013
Diffstat (limited to 'VERSION')
0 files changed, 0 insertions, 0 deletions