Cypherpunks repositories - gostls13.git/commit

author	Damien Neil <dneil@google.com>
	Thu, 22 Sep 2022 20:32:00 +0000 (13:32 -0700)
committer	Dmitri Shuralyov <dmitshur@golang.org>
	Wed, 28 Sep 2022 16:36:33 +0000 (16:36 +0000)
commit	9d2c73a9fd69e45876509bb3bdb2af99bf77da1e
tree	c594d174f1588c5abf0e4500f2a2f71ff6c61d2d	tree
parent	2b9596cb9b2726efa3c5fb0717f117ae10e8b9f6	commit \| diff

[release-branch.go1.18] net/http/httputil: avoid query parameter smuggling

Query parameter smuggling occurs when a proxy's interpretation
of query parameters differs from that of a downstream server.
Change ReverseProxy to avoid forwarding ignored query parameters.

Remove unparsable query parameters from the outbound request

* if req.Form != nil after calling ReverseProxy.Director; and
* before calling ReverseProxy.Rewrite.

This change preserves the existing behavior of forwarding the
raw query untouched if a Director hook does not parse the query
by calling Request.ParseForm (possibly indirectly).

Fixes #55842
For #54663
For CVE-2022-2880

Change-Id: If1621f6b0e73a49d79059dae9e6b256e0ff18ca9
Reviewed-on: https://go-review.googlesource.com/c/go/+/432976
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Damien Neil <dneil@google.com>
(cherry picked from commit 7c84234142149bd24a4096c6cab691d3593f3431)
Reviewed-on: https://go-review.googlesource.com/c/go/+/433695
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>

src/net/http/httputil/reverseproxy.go		diff \| blob \| history
src/net/http/httputil/reverseproxy_test.go		diff \| blob \| history