diff options
| author | Neal Patel <nealpatel@google.com> | 2025-05-21 14:11:44 -0400 |
|---|---|---|
| committer | Carlos Amedee <carlos@golang.org> | 2025-06-05 11:44:48 -0700 |
| commit | 4d1c255f159d90557b43ede07f8b9a209e1fb49c (patch) | |
| tree | 4aa89ece6aea1dca8934d4509eb758c0b4ddaa66 | |
| parent | 3432c68467d50ffc622fed230a37cd401d82d4bf (diff) | |
| download | go-4d1c255f159d90557b43ede07f8b9a209e1fb49c.tar.xz | |
net/http: strip sensitive proxy headers from redirect requests
Similarly to Authentication entries, Proxy-Authentication entries should be stripped to ensure sensitive information is not leaked on redirects outside of the original domain.
https://fetch.spec.whatwg.org/#authentication-entries
Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for reporting this issue.
For #73816
Fixes CVE-2025-4673
Change-Id: Ied7b641f6531f1d340ccba3c636d3c30dd5547d9
Reviewed-on: https://go-review.googlesource.com/c/go/+/679257
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Michael Knyszek <mknyszek@google.com>
| -rw-r--r-- | src/net/http/client.go | 3 | ||||
| -rw-r--r-- | src/net/http/client_test.go | 3 |
2 files changed, 5 insertions, 1 deletions
diff --git a/src/net/http/client.go b/src/net/http/client.go index 43a7a06bfb..ba095ea1e3 100644 --- a/src/net/http/client.go +++ b/src/net/http/client.go @@ -806,7 +806,8 @@ func (c *Client) makeHeadersCopier(ireq *Request) func(req *Request, stripSensit for k, vv := range ireqhdr { sensitive := false switch CanonicalHeaderKey(k) { - case "Authorization", "Www-Authenticate", "Cookie", "Cookie2": + case "Authorization", "Www-Authenticate", "Cookie", "Cookie2", + "Proxy-Authorization", "Proxy-Authenticate": sensitive = true } if !(sensitive && stripSensitiveHeaders) { diff --git a/src/net/http/client_test.go b/src/net/http/client_test.go index f2e04ca4e8..8f88e29ad2 100644 --- a/src/net/http/client_test.go +++ b/src/net/http/client_test.go @@ -1550,6 +1550,8 @@ func testClientStripHeadersOnRepeatedRedirect(t *testing.T, mode testMode) { if r.Host+r.URL.Path != "a.example.com/" { if h := r.Header.Get("Authorization"); h != "" { t.Errorf("on request to %v%v, Authorization=%q, want no header", r.Host, r.URL.Path, h) + } else if h := r.Header.Get("Proxy-Authorization"); h != "" { + t.Errorf("on request to %v%v, Proxy-Authorization=%q, want no header", r.Host, r.URL.Path, h) } } // Follow a chain of redirects from a to b and back to a. @@ -1578,6 +1580,7 @@ func testClientStripHeadersOnRepeatedRedirect(t *testing.T, mode testMode) { req, _ := NewRequest("GET", proto+"://a.example.com/", nil) req.Header.Add("Cookie", "foo=bar") req.Header.Add("Authorization", "secretpassword") + req.Header.Add("Proxy-Authorization", "secretpassword") res, err := c.Do(req) if err != nil { t.Fatal(err) |