diff options
| author | Filippo Valsorda <filippo@golang.org> | 2021-05-21 14:02:30 -0400 |
|---|---|---|
| committer | Filippo Valsorda <filippo@golang.org> | 2021-05-27 15:00:58 +0000 |
| commit | 950fa11c4cb01a145bb07eeb167d90a1846061b3 (patch) | |
| tree | fd1f694cc31ac4dbc37847dcaff2d4819533dba4 /src/net/http/httputil/reverseproxy.go | |
| parent | 9bc52686da81b515cf3ad654dfb1a536fabceafa (diff) | |
| download | go-950fa11c4cb01a145bb07eeb167d90a1846061b3.tar.gz go-950fa11c4cb01a145bb07eeb167d90a1846061b3.zip | |
net/http/httputil: always remove hop-by-hop headers
Previously, we'd fail to remove the Connection header from a request
like this:
Connection:
Connection: x-header
Fixes #46313
Fixes CVE-2021-33197
Change-Id: Ie3009e926ceecfa86dfa6bcc6fe14ff01086be7d
Reviewed-on: https://go-review.googlesource.com/c/go/+/321929
Run-TryBot: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Katie Hockman <katie@golang.org>
Trust: Katie Hockman <katie@golang.org>
Trust: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Diffstat (limited to 'src/net/http/httputil/reverseproxy.go')
| -rw-r--r-- | src/net/http/httputil/reverseproxy.go | 22 |
1 files changed, 9 insertions, 13 deletions
diff --git a/src/net/http/httputil/reverseproxy.go b/src/net/http/httputil/reverseproxy.go index 1432ee26d3..5d39955d62 100644 --- a/src/net/http/httputil/reverseproxy.go +++ b/src/net/http/httputil/reverseproxy.go @@ -253,22 +253,18 @@ func (p *ReverseProxy) ServeHTTP(rw http.ResponseWriter, req *http.Request) { // important is "Connection" because we want a persistent // connection, regardless of what the client sent to us. for _, h := range hopHeaders { - hv := outreq.Header.Get(h) - if hv == "" { - continue - } - if h == "Te" && hv == "trailers" { - // Issue 21096: tell backend applications that - // care about trailer support that we support - // trailers. (We do, but we don't go out of - // our way to advertise that unless the - // incoming client request thought it was - // worth mentioning) - continue - } outreq.Header.Del(h) } + // Issue 21096: tell backend applications that care about trailer support + // that we support trailers. (We do, but we don't go out of our way to + // advertise that unless the incoming client request thought it was worth + // mentioning.) Note that we look at req.Header, not outreq.Header, since + // the latter has passed through removeConnectionHeaders. + if httpguts.HeaderValuesContainsToken(req.Header["Te"], "trailers") { + outreq.Header.Set("Te", "trailers") + } + // After stripping all the hop-by-hop connection headers above, add back any // necessary for protocol upgrades, such as for websockets. if reqUpType != "" { |