]> Cypherpunks repositories - gostls13.git/commit
projects / gostls13.git / commit
summary | shortlog | log | commit | commitdiff | tree
(parent: 895fb1b) | patch
[release-branch.go1.16] net/http/httputil: always remove hop-by-hop headers
authorFilippo Valsorda <filippo@golang.org>
Fri, 21 May 2021 18:02:30 +0000 (14:02 -0400)
committerKatie Hockman <katie@golang.org>
Fri, 28 May 2021 13:53:35 +0000 (13:53 +0000)
commit0410005dc458f23fb15f64354f9a24ca8f2fe044
tree0b537725d94a72764ae20ce9a6c60ae5e3ffa55ctree
parent895fb1bb6fc0d3c01c5ef7c8cbaf033d1fff9ad7commit | diff
[release-branch.go1.16] net/http/httputil: always remove hop-by-hop headers

Previously, we'd fail to remove the Connection header from a request
like this:

    Connection:
    Connection: x-header

Updates #46313
Fixes #46315
Fixes CVE-2021-33197

Change-Id: Ie3009e926ceecfa86dfa6bcc6fe14ff01086be7d
Reviewed-on: https://go-review.googlesource.com/c/go/+/321929
Run-TryBot: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Katie Hockman <katie@golang.org>
Trust: Katie Hockman <katie@golang.org>
Trust: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
(cherry picked from commit 950fa11c4cb01a145bb07eeb167d90a1846061b3)
Reviewed-on: https://go-review.googlesource.com/c/go/+/323090
src/net/http/httputil/reverseproxy.go diff | blob | history
src/net/http/httputil/reverseproxy_test.go diff | blob | history
Go GOST TLS 1.3