Rietveld Code Review Tool
Help | Bug tracker | Discussion group | Source code | Sign in
(630)
Issues Repositories Search
Open Issues | Closed Issues | All Issues | Sign in with your Google Account to create issues and add comments

Issue 151430043: code review 151430043: net/http: Fix authentication info leakage in Referer he... (Closed)

Can't Edit
Can't Publish+Mail
Start Review
Created:
9 years, 6 months ago by jfrederich
Modified:
9 years, 6 months ago
Reviewers:
bradfitz
CC:
golang-codereviews, gobot, bradfitz, mikio
Visibility:
Public.

Description

net/http: Fix authentication info leakage in Referer header (potential security risk) http.Client calls URL.String() to fill in the Referer header, which may contain authentication info. This patch removes authentication info from the Referer header without introducing any API changes. A new test for net/http is also provided. That's the polished version of CL 9766046. It should handle https Referer right. Related to CL: https://codereview.appspot.com/9766046/ Fixes issue 8417.

Patch Set 1 #

Patch Set 2 : diff -r bc0fe81c7252a5597bbc02c82f6a09f649c3e91e https://code.google.com/p/go #

Patch Set 3 : diff -r be3fe3a1120009c4d0b9b5d497b0c8d274177292 https://code.google.com/p/go #

Total comments: 6

Patch Set 4 : diff -r 442fb01a3731b772e7e6f73b0edc4de2d81e4efc https://code.google.com/p/go #

Unified diffs Side-by-side diffs Delta from patch set Stats (+68 lines, -2 lines) Patch
M src/net/http/client.go View 1 2 3 2 chunks +26 lines, -2 lines 0 comments Download
M src/net/http/client_test.go View 1 2 3 1 chunk +37 lines, -0 lines 0 comments Download
M src/net/http/export_test.go View 1 2 3 2 chunks +5 lines, -0 lines 0 comments Download

Messages

Total messages: 7
jfrederich
Hello golang-codereviews@googlegroups.com (cc: bradfitz@golang.org, golang-codereviews@googlegroups.com), I'd like you to review this change to https://code.google.com/p/go
9 years, 6 months ago (2014-10-05 17:54:52 UTC) #1
gobot
R=golang-dev (assigned by jfrederich@gmail.com)
9 years, 6 months ago (2014-10-05 17:57:56 UTC) #2
bradfitz
https://codereview.appspot.com/151430043/diff/40001/src/net/http/client.go File src/net/http/client.go (right): https://codereview.appspot.com/151430043/diff/40001/src/net/http/client.go#newcode104 src/net/http/client.go:104: // Returns the referer generated by the given URL ...
9 years, 6 months ago (2014-10-06 17:39:58 UTC) #3
mikio
https://codereview.appspot.com/151430043/diff/40001/src/net/http/client.go File src/net/http/client.go (right): https://codereview.appspot.com/151430043/diff/40001/src/net/http/client.go#newcode110 src/net/http/client.go:110: // http://tools.ietf.org/html/rfc2616#section-15.1.3 7231 obsoletes 2616, https://tools.ietf.org/html/rfc7231#section-5.5.2
9 years, 6 months ago (2014-10-06 21:33:53 UTC) #4
jfrederich
Hello golang-codereviews@googlegroups.com, gobot@golang.org, bradfitz@golang.org, mikioh.mikioh@gmail.com (cc: golang-codereviews@googlegroups.com), Please take another look.
9 years, 6 months ago (2014-10-07 13:06:48 UTC) #5
bradfitz
LGTM I'll fix the test output a bit when I submit.
9 years, 6 months ago (2014-10-07 14:02:31 UTC) #6
bradfitz
9 years, 6 months ago (2014-10-07 14:13:46 UTC) #7 
*** Submitted as https://code.google.com/p/go/source/detail?r=bdd5f6fd0274 ***

net/http: fix authentication info leakage in Referer header (potential security
risk)

http.Client calls URL.String() to fill in the Referer header, which may
contain authentication info. This patch removes authentication info from
the Referer header without introducing any API changes.

A new test for net/http is also provided.

This is the polished version of Alberto GarcĂ­a Hierro's
https://codereview.appspot.com/9766046/

It should handle https Referer right.

Fixes issue 8417

LGTM=bradfitz
R=golang-codereviews, gobot, bradfitz, mikioh.mikioh
CC=golang-codereviews
https://codereview.appspot.com/151430043

Committer: Brad Fitzpatrick <bradfitz@golang.org>
Sign in to reply to this message.

Powered by Google App Engine
RSS Feeds Recent Issues | This issue
This is Rietveld f62528b