diff options
author | Damien Neil <dneil@google.com> | 2021-07-07 16:34:34 -0700 |
---|---|---|
committer | Carlos Amedee <carlos@golang.org> | 2021-08-02 22:22:46 +0000 |
commit | ba93baa74a52d57ae79313313ea990cc791ef50e (patch) | |
tree | 558a03d6c3bf10af5b64566a0d8e33d6b3330052 /src/cmd/go/internal/load/pkg.go | |
parent | c6d89dbf9954b101589e2db8e170b84167782109 (diff) | |
download | go-ba93baa74a52d57ae79313313ea990cc791ef50e.tar.gz go-ba93baa74a52d57ae79313313ea990cc791ef50e.zip |
[release-branch.go1.15] net/http/httputil: close incoming ReverseProxy request body
Reading from an incoming request body after the request handler aborts
with a panic can cause a panic, becuse http.Server does not (contrary
to its documentation) close the request body in this case.
Always close the incoming request body in ReverseProxy.ServeHTTP to
ensure that any in-flight outgoing requests using the body do not
read from it.
Fixes #47473
Updates #46866
Fixes CVE-2021-36221
Change-Id: I310df269200ad8732c5d9f1a2b00de68725831df
Reviewed-on: https://go-review.googlesource.com/c/go/+/333191
Trust: Damien Neil <dneil@google.com>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
(cherry picked from commit b7a85e0003cedb1b48a1fd3ae5b746ec6330102e)
Reviewed-on: https://go-review.googlesource.com/c/go/+/338550
Trust: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
Diffstat (limited to 'src/cmd/go/internal/load/pkg.go')
0 files changed, 0 insertions, 0 deletions