[release-branch.go1.15] net/http/httputil: close incoming ReverseProxy request body - go

diff options

author	Damien Neil <dneil@google.com>	2021-07-07 16:34:34 -0700
committer	Carlos Amedee <carlos@golang.org>	2021-08-02 22:22:46 +0000
commit	ba93baa74a52d57ae79313313ea990cc791ef50e (patch)
tree	558a03d6c3bf10af5b64566a0d8e33d6b3330052 /src/cmd/go/internal/load/pkg.go
parent	c6d89dbf9954b101589e2db8e170b84167782109 (diff)
download	go-ba93baa74a52d57ae79313313ea990cc791ef50e.tar.gz go-ba93baa74a52d57ae79313313ea990cc791ef50e.zip

[release-branch.go1.15] net/http/httputil: close incoming ReverseProxy request body

Reading from an incoming request body after the request handler aborts with a panic can cause a panic, becuse http.Server does not (contrary to its documentation) close the request body in this case. Always close the incoming request body in ReverseProxy.ServeHTTP to ensure that any in-flight outgoing requests using the body do not read from it. Fixes #47473 Updates #46866 Fixes CVE-2021-36221 Change-Id: I310df269200ad8732c5d9f1a2b00de68725831df Reviewed-on: https://go-review.googlesource.com/c/go/+/333191 Trust: Damien Neil <dneil@google.com> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Reviewed-by: Filippo Valsorda <filippo@golang.org> (cherry picked from commit b7a85e0003cedb1b48a1fd3ae5b746ec6330102e) Reviewed-on: https://go-review.googlesource.com/c/go/+/338550 Trust: Filippo Valsorda <filippo@golang.org> Run-TryBot: Filippo Valsorda <filippo@golang.org> TryBot-Result: Go Bot <gobot@golang.org> Reviewed-by: Damien Neil <dneil@google.com>

Diffstat (limited to 'src/cmd/go/internal/load/pkg.go')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: