net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working [1.18 backport] #53621

gopherbot · 2022-06-29T22:32:24Z

@neild requested issue #53423 to be considered for backport to the next 1.18 minor release.

@gopherbot please open backport issues.

gopherbot · 2022-06-29T22:34:26Z

Change https://go.dev/cl/415222 mentions this issue: [release-branch.go1.18] net/http: preserve nil values in Header.Clone

toothrot · 2022-07-06T16:18:26Z

Approved. This is a serious issue with no workaround.

ReverseProxy makes a distinction between nil and zero-length header values. Avoid losing nil-ness when cloning a request. Thanks to Christian Mehlmauer for discovering this. For #53423 For CVE-2022-32148 Fixes #53621 Change-Id: Ice369cdb4712e2d62e25bb881b080847aa4801f5 Reviewed-on: https://go-review.googlesource.com/c/go/+/412857 Reviewed-by: Ian Lance Taylor <iant@google.com> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> (cherry picked from commit b2cc0fe) Reviewed-on: https://go-review.googlesource.com/c/go/+/415222 TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Michael Knyszek <mknyszek@google.com> Reviewed-by: Heschi Kreinick <heschi@google.com> Run-TryBot: Heschi Kreinick <heschi@google.com> Reviewed-by: Michael Knyszek <mknyszek@google.com>

gopherbot · 2022-07-12T14:59:21Z

Closed by merging ebea1e3 to release-branch.go1.18.

ReverseProxy makes a distinction between nil and zero-length header values. Avoid losing nil-ness when cloning a request. Thanks to Christian Mehlmauer for discovering this. For golang#53423 For CVE-2022-32148 Fixes golang#53621 Change-Id: Ice369cdb4712e2d62e25bb881b080847aa4801f5 Reviewed-on: https://go-review.googlesource.com/c/go/+/412857 Reviewed-by: Ian Lance Taylor <iant@google.com> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> (cherry picked from commit b2cc0fe) Reviewed-on: https://go-review.googlesource.com/c/go/+/415222 TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Michael Knyszek <mknyszek@google.com> Reviewed-by: Heschi Kreinick <heschi@google.com> Run-TryBot: Heschi Kreinick <heschi@google.com> Reviewed-by: Michael Knyszek <mknyszek@google.com>

gopherbot added the CherryPickCandidate Used during the release process for point releases label Jun 29, 2022

gopherbot mentioned this issue Jun 29, 2022

net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working #53423

Closed

gopherbot added this to the Go1.18.4 milestone Jun 29, 2022

toothrot added the CherryPickApproved Used during the release process for point releases label Jul 6, 2022

gopherbot removed the CherryPickCandidate Used during the release process for point releases label Jul 6, 2022

tatianab added Security release-blocker labels Jul 8, 2022

gopherbot closed this as completed Jul 12, 2022

golang locked and limited conversation to collaborators Jul 12, 2023

gopherbot added the FrozenDueToAge label Jul 12, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working [1.18 backport] #53621

net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working [1.18 backport] #53621

gopherbot commented Jun 29, 2022

gopherbot commented Jun 29, 2022

toothrot commented Jul 6, 2022

gopherbot commented Jul 12, 2022

net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working [1.18 backport] #53621

net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working [1.18 backport] #53621

Comments

gopherbot commented Jun 29, 2022

gopherbot commented Jun 29, 2022

toothrot commented Jul 6, 2022

gopherbot commented Jul 12, 2022