New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working [1.17 backport] #53620
Labels
CherryPickApproved
Used during the release process for point releases
FrozenDueToAge
release-blocker
Security
Milestone
Comments
gopherbot
added
the
CherryPickCandidate
Used during the release process for point releases
label
Jun 29, 2022
Change https://go.dev/cl/415221 mentions this issue: |
toothrot
added
the
CherryPickApproved
Used during the release process for point releases
label
Jul 6, 2022
gopherbot
removed
the
CherryPickCandidate
Used during the release process for point releases
label
Jul 6, 2022
Approved. This is a serious issue with no workaround. |
Closed by merging ed2f33e to release-branch.go1.17. |
gopherbot
pushed a commit
that referenced
this issue
Jul 12, 2022
ReverseProxy makes a distinction between nil and zero-length header values. Avoid losing nil-ness when cloning a request. Thanks to Christian Mehlmauer for discovering this. For #53423 For CVE-2022-32148 Fixes #53620 Change-Id: Ice369cdb4712e2d62e25bb881b080847aa4801f5 Reviewed-on: https://go-review.googlesource.com/c/go/+/412857 Reviewed-by: Ian Lance Taylor <iant@google.com> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> (cherry picked from commit b2cc0fe) Reviewed-on: https://go-review.googlesource.com/c/go/+/415221 Reviewed-by: Heschi Kreinick <heschi@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Michael Knyszek <mknyszek@google.com> Run-TryBot: Heschi Kreinick <heschi@google.com> Reviewed-by: Michael Knyszek <mknyszek@google.com>
danbudris
pushed a commit
to danbudris/go
that referenced
this issue
Sep 9, 2022
ReverseProxy makes a distinction between nil and zero-length header values. Avoid losing nil-ness when cloning a request. Thanks to Christian Mehlmauer for discovering this. For golang#53423 For CVE-2022-32148 Fixes golang#53620 Change-Id: Ice369cdb4712e2d62e25bb881b080847aa4801f5 Reviewed-on: https://go-review.googlesource.com/c/go/+/412857 Reviewed-by: Ian Lance Taylor <iant@google.com> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> (cherry picked from commit b2cc0fe) Reviewed-on: https://go-review.googlesource.com/c/go/+/415221 Reviewed-by: Heschi Kreinick <heschi@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Michael Knyszek <mknyszek@google.com> Run-TryBot: Heschi Kreinick <heschi@google.com> Reviewed-by: Michael Knyszek <mknyszek@google.com>
danbudris
pushed a commit
to danbudris/go
that referenced
this issue
Sep 9, 2022
ReverseProxy makes a distinction between nil and zero-length header values. Avoid losing nil-ness when cloning a request. Thanks to Christian Mehlmauer for discovering this. For golang#53423 For CVE-2022-32148 Fixes golang#53620 Change-Id: Ice369cdb4712e2d62e25bb881b080847aa4801f5 Reviewed-on: https://go-review.googlesource.com/c/go/+/412857 Reviewed-by: Ian Lance Taylor <iant@google.com> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> (cherry picked from commit b2cc0fe) Reviewed-on: https://go-review.googlesource.com/c/go/+/415221 Reviewed-by: Heschi Kreinick <heschi@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Michael Knyszek <mknyszek@google.com> Run-TryBot: Heschi Kreinick <heschi@google.com> Reviewed-by: Michael Knyszek <mknyszek@google.com>
danbudris
pushed a commit
to danbudris/go
that referenced
this issue
Sep 12, 2022
ReverseProxy makes a distinction between nil and zero-length header values. Avoid losing nil-ness when cloning a request. Thanks to Christian Mehlmauer for discovering this. For golang#53423 For CVE-2022-32148 Fixes golang#53620 Change-Id: Ice369cdb4712e2d62e25bb881b080847aa4801f5 Reviewed-on: https://go-review.googlesource.com/c/go/+/412857 Reviewed-by: Ian Lance Taylor <iant@google.com> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> (cherry picked from commit b2cc0fe) Reviewed-on: https://go-review.googlesource.com/c/go/+/415221 Reviewed-by: Heschi Kreinick <heschi@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Michael Knyszek <mknyszek@google.com> Run-TryBot: Heschi Kreinick <heschi@google.com> Reviewed-by: Michael Knyszek <mknyszek@google.com>
danbudris
pushed a commit
to danbudris/go
that referenced
this issue
Sep 14, 2022
ReverseProxy makes a distinction between nil and zero-length header values. Avoid losing nil-ness when cloning a request. Thanks to Christian Mehlmauer for discovering this. For golang#53423 For CVE-2022-32148 Fixes golang#53620 Change-Id: Ice369cdb4712e2d62e25bb881b080847aa4801f5 Reviewed-on: https://go-review.googlesource.com/c/go/+/412857 Reviewed-by: Ian Lance Taylor <iant@google.com> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> (cherry picked from commit b2cc0fe) Reviewed-on: https://go-review.googlesource.com/c/go/+/415221 Reviewed-by: Heschi Kreinick <heschi@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Michael Knyszek <mknyszek@google.com> Run-TryBot: Heschi Kreinick <heschi@google.com> Reviewed-by: Michael Knyszek <mknyszek@google.com>
rcrozean
pushed a commit
to rcrozean/go
that referenced
this issue
Oct 5, 2022
# AWS EKS Backported To: go-1.15.15-eks Backported On: Thu, 22 Sept 2022 Backported By: budris@amazon.com Backported From: release-branch.go1.17 EKS Patch Source Commit: danbudris@a966897 Upstream Source Commit: golang@ed2f33e # Original Information ReverseProxy makes a distinction between nil and zero-length header values. Avoid losing nil-ness when cloning a request. Thanks to Christian Mehlmauer for discovering this. For golang#53423 For CVE-2022-32148 Fixes golang#53620 Change-Id: Ice369cdb4712e2d62e25bb881b080847aa4801f5 Reviewed-on: https://go-review.googlesource.com/c/go/+/412857 Reviewed-by: Ian Lance Taylor <iant@google.com> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> (cherry picked from commit b2cc0fe) Reviewed-on: https://go-review.googlesource.com/c/go/+/415221 Reviewed-by: Heschi Kreinick <heschi@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Michael Knyszek <mknyszek@google.com> Run-TryBot: Heschi Kreinick <heschi@google.com> Reviewed-by: Michael Knyszek <mknyszek@google.com>
rcrozean
pushed a commit
to rcrozean/go
that referenced
this issue
Oct 12, 2022
# AWS EKS Backported To: go-1.15.15-eks Backported On: Thu, 22 Sept 2022 Backported By: budris@amazon.com Backported From: release-branch.go1.17 EKS Patch Source Commit: danbudris@a966897 Upstream Source Commit: golang@ed2f33e # Original Information ReverseProxy makes a distinction between nil and zero-length header values. Avoid losing nil-ness when cloning a request. Thanks to Christian Mehlmauer for discovering this. For golang#53423 For CVE-2022-32148 Fixes golang#53620 Change-Id: Ice369cdb4712e2d62e25bb881b080847aa4801f5 Reviewed-on: https://go-review.googlesource.com/c/go/+/412857 Reviewed-by: Ian Lance Taylor <iant@google.com> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> (cherry picked from commit b2cc0fe) Reviewed-on: https://go-review.googlesource.com/c/go/+/415221 Reviewed-by: Heschi Kreinick <heschi@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Michael Knyszek <mknyszek@google.com> Run-TryBot: Heschi Kreinick <heschi@google.com> Reviewed-by: Michael Knyszek <mknyszek@google.com>
rcrozean
pushed a commit
to rcrozean/go
that referenced
this issue
Oct 12, 2022
# AWS EKS Backported To: go-1.16.15-eks Backported On: Tue, 04 Oct 2022 Backported By: budris@amazon.com Backported From: release-branch.go1.17 EKS Patch Source Commit: danbudris@0cf92aa Upstream Source Commit: golang@ed2f33e # Original Information ReverseProxy makes a distinction between nil and zero-length header values. Avoid losing nil-ness when cloning a request. Thanks to Christian Mehlmauer for discovering this. For golang#53423 For CVE-2022-32148 Fixes golang#53620 Change-Id: Ice369cdb4712e2d62e25bb881b080847aa4801f5 Reviewed-on: https://go-review.googlesource.com/c/go/+/412857 Reviewed-by: Ian Lance Taylor <iant@google.com> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> (cherry picked from commit b2cc0fe) Reviewed-on: https://go-review.googlesource.com/c/go/+/415221 Reviewed-by: Heschi Kreinick <heschi@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Michael Knyszek <mknyszek@google.com> Run-TryBot: Heschi Kreinick <heschi@google.com> Reviewed-by: Michael Knyszek <mknyszek@google.com>
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
CherryPickApproved
Used during the release process for point releases
FrozenDueToAge
release-blocker
Security
@neild requested issue #53423 to be considered for backport to the next 1.17 minor release.
The text was updated successfully, but these errors were encountered: