diff options
author | Filippo Valsorda <filippo@golang.org> | 2020-05-01 01:14:04 -0400 |
---|---|---|
committer | Filippo Valsorda <filippo@golang.org> | 2020-05-06 16:25:52 +0000 |
commit | 21898524f66c075d7cfb64a38f17684140e57675 (patch) | |
tree | c67d606c88de9c6c888fd2ea059c2bc4ebcd7e89 /src/net/http/httputil/reverseproxy.go | |
parent | d5734d4f2dd1168dc3df94f2b9912299aea0c0ac (diff) | |
download | go-21898524f66c075d7cfb64a38f17684140e57675.tar.gz go-21898524f66c075d7cfb64a38f17684140e57675.zip |
net/http: use ASCII space trimming throughout
Security hardening against HTTP request smuggling. Thank you to ZeddYu
for reporting this issue.
Change-Id: I98bd9f8ffe58360fc3bca9dc5d9a106773e55373
Reviewed-on: https://go-review.googlesource.com/c/go/+/231419
Reviewed-by: Katie Hockman <katie@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Diffstat (limited to 'src/net/http/httputil/reverseproxy.go')
-rw-r--r-- | src/net/http/httputil/reverseproxy.go | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/src/net/http/httputil/reverseproxy.go b/src/net/http/httputil/reverseproxy.go index 70de7b107d..3f48fab544 100644 --- a/src/net/http/httputil/reverseproxy.go +++ b/src/net/http/httputil/reverseproxy.go @@ -13,6 +13,7 @@ import ( "log" "net" "net/http" + "net/textproto" "net/url" "strings" "sync" @@ -387,7 +388,7 @@ func shouldPanicOnCopyError(req *http.Request) bool { func removeConnectionHeaders(h http.Header) { for _, f := range h["Connection"] { for _, sf := range strings.Split(f, ",") { - if sf = strings.TrimSpace(sf); sf != "" { + if sf = textproto.TrimString(sf); sf != "" { h.Del(sf) } } |