]> Cypherpunks repositories - gostls13.git/commit
projects / gostls13.git / commit
summary | shortlog | log | commit | commitdiff | tree
(parent: 3432c68) | patch
net/http: strip sensitive proxy headers from redirect requests
authorNeal Patel <nealpatel@google.com>
Wed, 21 May 2025 18:11:44 +0000 (14:11 -0400)
committerCarlos Amedee <carlos@golang.org>
Thu, 5 Jun 2025 18:44:48 +0000 (11:44 -0700)
commit4d1c255f159d90557b43ede07f8b9a209e1fb49c
tree4aa89ece6aea1dca8934d4509eb758c0b4ddaa66tree
parent3432c68467d50ffc622fed230a37cd401d82d4bfcommit | diff
net/http: strip sensitive proxy headers from redirect requests

Similarly to Authentication entries, Proxy-Authentication entries should be stripped to ensure sensitive information is not leaked on redirects outside of the original domain.

https://fetch.spec.whatwg.org/#authentication-entries

Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for reporting this issue.

For #73816
Fixes CVE-2025-4673

Change-Id: Ied7b641f6531f1d340ccba3c636d3c30dd5547d9
Reviewed-on: https://go-review.googlesource.com/c/go/+/679257
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Michael Knyszek <mknyszek@google.com>
src/net/http/client.go diff | blob | history
src/net/http/client_test.go diff | blob | history
Go GOST TLS 1.3