net/http/httputil: avoid query parameter smuggling - go - Fork of Go programming language with my patches.

diff options

author	Damien Neil <dneil@google.com>	2022-09-22 13:32:00 -0700
committer	Damien Neil <dneil@google.com>	2022-09-23 21:06:17 +0000
commit	7c84234142149bd24a4096c6cab691d3593f3431 (patch)
tree	b62d2c34d19cd0754c0167d29d3dbef93fad02e5 /src/debug
parent	3dcf6e2c29f533865aad58488b60ae8d819a566e (diff)
download	go-7c84234142149bd24a4096c6cab691d3593f3431.tar.xz

net/http/httputil: avoid query parameter smuggling

Query parameter smuggling occurs when a proxy's interpretation of query parameters differs from that of a downstream server. Change ReverseProxy to avoid forwarding ignored query parameters. Remove unparsable query parameters from the outbound request * if req.Form != nil after calling ReverseProxy.Director; and * before calling ReverseProxy.Rewrite. This change preserves the existing behavior of forwarding the raw query untouched if a Director hook does not parse the query by calling Request.ParseForm (possibly indirectly). Fixes #54663 Fixes CVE-2022-2880 Change-Id: If1621f6b0e73a49d79059dae9e6b256e0ff18ca9 Reviewed-on: https://go-review.googlesource.com/c/go/+/432976 Reviewed-by: Roland Shoemaker <roland@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Damien Neil <dneil@google.com>

Diffstat (limited to 'src/debug')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: