net/http: fix authentication info leakage in Referer header (potential security risk) - go - Fork of Go programming language with my patches.

diff options

author	Jens Frederich <jfrederich@gmail.com>	2014-10-07 07:13:42 -0700
committer	Brad Fitzpatrick <bradfitz@golang.org>	2014-10-07 07:13:42 -0700
commit	f739b7750853f2d620c78eca9fc14c32e48a14d5 (patch)
tree	b81e18af51ed61694bc4c6edf0d3864a79c848ff /src/encoding/json
parent	6e8f7b4f3e98deb90c8e2bc183b514c6780cb3a9 (diff)
download	go-f739b7750853f2d620c78eca9fc14c32e48a14d5.tar.xz

net/http: fix authentication info leakage in Referer header (potential security risk)

http.Client calls URL.String() to fill in the Referer header, which may contain authentication info. This patch removes authentication info from the Referer header without introducing any API changes. A new test for net/http is also provided. This is the polished version of Alberto García Hierro's https://golang.org/cl/9766046/ It should handle https Referer right. Fixes #8417 LGTM=bradfitz R=golang-codereviews, gobot, bradfitz, mikioh.mikioh CC=golang-codereviews https://golang.org/cl/151430043

Diffstat (limited to 'src/encoding/json')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: