net/http: panic due to racy read of persistConn after handler panic [1.15 backport] #47473
Labels
CherryPickApproved
Used during the release process for point releases
FrozenDueToAge
release-blocker
Security
Milestone
Comments
gopherbot
added
the
CherryPickCandidate
|
Change https://golang.org/cl/338550 mentions this issue: |
|
Approved as a fix for a security issue. This backport applies to both 1.16 (#47474) and 1.15 (this issue). |
dmitshur
added
CherryPickApproved
|
Closed by merging ba93baa to release-branch.go1.15. |
gopherbot
pushed a commit
that referenced
this issue
Aug 2, 2021
…y request body Reading from an incoming request body after the request handler aborts with a panic can cause a panic, becuse http.Server does not (contrary to its documentation) close the request body in this case. Always close the incoming request body in ReverseProxy.ServeHTTP to ensure that any in-flight outgoing requests using the body do not read from it. Fixes #47473 Updates #46866 Fixes CVE-2021-36221 Change-Id: I310df269200ad8732c5d9f1a2b00de68725831df Reviewed-on: https://go-review.googlesource.com/c/go/+/333191 Trust: Damien Neil <dneil@google.com> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Reviewed-by: Filippo Valsorda <filippo@golang.org> (cherry picked from commit b7a85e0) Reviewed-on: https://go-review.googlesource.com/c/go/+/338550 Trust: Filippo Valsorda <filippo@golang.org> Run-TryBot: Filippo Valsorda <filippo@golang.org> TryBot-Result: Go Bot <gobot@golang.org> Reviewed-by: Damien Neil <dneil@google.com>
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
@FiloSottile requested issue #46866 to be considered for backport to the next 1.15 minor release.
The text was updated successfully, but these errors were encountered: