net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working [1.17 backport] #53620

gopherbot · 2022-06-29T22:32:22Z

@neild requested issue #53423 to be considered for backport to the next 1.17 minor release.

@gopherbot please open backport issues.

gopherbot · 2022-06-29T22:33:54Z

Change https://go.dev/cl/415221 mentions this issue: [release-branch.go1.17] net/http: preserve nil values in Header.Clone

toothrot · 2022-07-06T16:18:23Z

Approved. This is a serious issue with no workaround.

gopherbot · 2022-07-12T14:54:06Z

Closed by merging ed2f33e to release-branch.go1.17.

ReverseProxy makes a distinction between nil and zero-length header values. Avoid losing nil-ness when cloning a request. Thanks to Christian Mehlmauer for discovering this. For #53423 For CVE-2022-32148 Fixes #53620 Change-Id: Ice369cdb4712e2d62e25bb881b080847aa4801f5 Reviewed-on: https://go-review.googlesource.com/c/go/+/412857 Reviewed-by: Ian Lance Taylor <iant@google.com> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> (cherry picked from commit b2cc0fe) Reviewed-on: https://go-review.googlesource.com/c/go/+/415221 Reviewed-by: Heschi Kreinick <heschi@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Michael Knyszek <mknyszek@google.com> Run-TryBot: Heschi Kreinick <heschi@google.com> Reviewed-by: Michael Knyszek <mknyszek@google.com>

ReverseProxy makes a distinction between nil and zero-length header values. Avoid losing nil-ness when cloning a request. Thanks to Christian Mehlmauer for discovering this. For golang#53423 For CVE-2022-32148 Fixes golang#53620 Change-Id: Ice369cdb4712e2d62e25bb881b080847aa4801f5 Reviewed-on: https://go-review.googlesource.com/c/go/+/412857 Reviewed-by: Ian Lance Taylor <iant@google.com> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> (cherry picked from commit b2cc0fe) Reviewed-on: https://go-review.googlesource.com/c/go/+/415221 Reviewed-by: Heschi Kreinick <heschi@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Michael Knyszek <mknyszek@google.com> Run-TryBot: Heschi Kreinick <heschi@google.com> Reviewed-by: Michael Knyszek <mknyszek@google.com>

# AWS EKS Backported To: go-1.15.15-eks Backported On: Thu, 22 Sept 2022 Backported By: budris@amazon.com Backported From: release-branch.go1.17 EKS Patch Source Commit: danbudris@a966897 Upstream Source Commit: golang@ed2f33e # Original Information ReverseProxy makes a distinction between nil and zero-length header values. Avoid losing nil-ness when cloning a request. Thanks to Christian Mehlmauer for discovering this. For golang#53423 For CVE-2022-32148 Fixes golang#53620 Change-Id: Ice369cdb4712e2d62e25bb881b080847aa4801f5 Reviewed-on: https://go-review.googlesource.com/c/go/+/412857 Reviewed-by: Ian Lance Taylor <iant@google.com> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> (cherry picked from commit b2cc0fe) Reviewed-on: https://go-review.googlesource.com/c/go/+/415221 Reviewed-by: Heschi Kreinick <heschi@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Michael Knyszek <mknyszek@google.com> Run-TryBot: Heschi Kreinick <heschi@google.com> Reviewed-by: Michael Knyszek <mknyszek@google.com>

# AWS EKS Backported To: go-1.16.15-eks Backported On: Tue, 04 Oct 2022 Backported By: budris@amazon.com Backported From: release-branch.go1.17 EKS Patch Source Commit: danbudris@0cf92aa Upstream Source Commit: golang@ed2f33e # Original Information ReverseProxy makes a distinction between nil and zero-length header values. Avoid losing nil-ness when cloning a request. Thanks to Christian Mehlmauer for discovering this. For golang#53423 For CVE-2022-32148 Fixes golang#53620 Change-Id: Ice369cdb4712e2d62e25bb881b080847aa4801f5 Reviewed-on: https://go-review.googlesource.com/c/go/+/412857 Reviewed-by: Ian Lance Taylor <iant@google.com> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> (cherry picked from commit b2cc0fe) Reviewed-on: https://go-review.googlesource.com/c/go/+/415221 Reviewed-by: Heschi Kreinick <heschi@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Michael Knyszek <mknyszek@google.com> Run-TryBot: Heschi Kreinick <heschi@google.com> Reviewed-by: Michael Knyszek <mknyszek@google.com>

gopherbot added the CherryPickCandidate Used during the release process for point releases label Jun 29, 2022

gopherbot mentioned this issue Jun 29, 2022

net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working #53423

Closed

gopherbot added this to the Go1.17.12 milestone Jun 29, 2022

toothrot added the CherryPickApproved Used during the release process for point releases label Jul 6, 2022

gopherbot removed the CherryPickCandidate Used during the release process for point releases label Jul 6, 2022

tatianab added Security release-blocker labels Jul 8, 2022

heschi modified the milestones: Go1.17.12, Go1.18.4 Jul 12, 2022

gopherbot closed this as completed Jul 12, 2022

golang locked and limited conversation to collaborators Jul 12, 2023

gopherbot added the FrozenDueToAge label Jul 12, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working [1.17 backport] #53620

net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working [1.17 backport] #53620

gopherbot commented Jun 29, 2022

gopherbot commented Jun 29, 2022

toothrot commented Jul 6, 2022

gopherbot commented Jul 12, 2022

net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working [1.17 backport] #53620

net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working [1.17 backport] #53620

Comments

gopherbot commented Jun 29, 2022

gopherbot commented Jun 29, 2022

toothrot commented Jul 6, 2022

gopherbot commented Jul 12, 2022