]> Cypherpunks repositories - gostls13.git/commit
projects / gostls13.git / commit
summary | shortlog | log | commit | commitdiff | tree
(parent: 9f9cf28) | patch
[release-branch.go1.24] net/http: strip sensitive proxy headers from redirect requests
authorNeal Patel <nealpatel@google.com>
Wed, 21 May 2025 18:11:44 +0000 (14:11 -0400)
committerCarlos Amedee <carlos@golang.org>
Thu, 5 Jun 2025 18:10:09 +0000 (11:10 -0700)
commit85897ca220a149333a88b1e4d63f3b751f1141f5
treeafb7ed45cddba8a71541600b2f97fd4ec3673629tree
parent9f9cf28f8fe67e6c17123cae2d89f116504f2be1commit | diff
[release-branch.go1.24] net/http: strip sensitive proxy headers from redirect requests

Similarly to Authentication entries, Proxy-Authentication entries should be stripped to ensure sensitive information is not leaked on redirects outside of the original domain.

https://fetch.spec.whatwg.org/#authentication-entries

Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for reporting this issue.

Updates golang/go#73816
Fixes golang/go#73906
Fixes CVE-2025-4673

Change-Id: I8a0f30d5d6bff6c71689bba6efa0b747947e7eb0
Reviewed-on: https://go-review.googlesource.com/c/go/+/679256
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Michael Knyszek <mknyszek@google.com>
src/net/http/client.go diff | blob | history
src/net/http/client_test.go diff | blob | history
Go GOST TLS 1.3