cmd/go/internal/web: reject insecure redirects from secure origins - go - Fork of Go programming language with my patches.

diff options

author	Bryan C. Mills <bcmills@google.com>	2019-01-08 10:34:16 -0500
committer	Bryan C. Mills <bcmills@google.com>	2019-04-03 20:39:58 +0000
commit	e9d12739976cbc25deb9226db25897c4824a8684 (patch)
tree	ee1e72d3d3d92058785c02d8c49213ef4a059daf /test/codegen/stack.go
parent	a8b4bee683cbb54601bccefbfc28f95aa4340526 (diff)
download	go-e9d12739976cbc25deb9226db25897c4824a8684.tar.xz

cmd/go/internal/web: reject insecure redirects from secure origins

We rely on SSL certificates to verify the identity of origin servers. If an HTTPS server redirects through a plain-HTTP URL, that hop can be compromised. We should allow it only if the user set the -insecure flag explicitly. Fixes #29591 Change-Id: I00639541cca2ca034c01c464385a43b3aa8ee84f Reviewed-on: https://go-review.googlesource.com/c/go/+/156838 Run-TryBot: Bryan C. Mills <bcmills@google.com> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>

Diffstat (limited to 'test/codegen/stack.go')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: