Cypherpunks repositories - gostls13.git/commit

author	Damien Neil <dneil@google.com>
	Wed, 7 Jul 2021 23:34:34 +0000 (16:34 -0700)
committer	Filippo Valsorda <filippo@golang.org>
	Mon, 2 Aug 2021 16:58:12 +0000 (16:58 +0000)
commit	accf363d5da864521c90b152fb734f3f15e00521
tree	2e77972f5aeb0cf0f3f8931e0f31777c323c7509	tree
parent	ae7943e11b41b5ee98279bf0574942e09f15ce20	commit \| diff

[release-branch.go1.16] net/http/httputil: close incoming ReverseProxy request body

Reading from an incoming request body after the request handler aborts
with a panic can cause a panic, becuse http.Server does not (contrary
to its documentation) close the request body in this case.

Always close the incoming request body in ReverseProxy.ServeHTTP to
ensure that any in-flight outgoing requests using the body do not
read from it.

Fixes #47474
Updates #46866
Fixes CVE-2021-36221

Change-Id: I310df269200ad8732c5d9f1a2b00de68725831df
Reviewed-on: https://go-review.googlesource.com/c/go/+/333191
Trust: Damien Neil <dneil@google.com>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
(cherry picked from commit b7a85e0003cedb1b48a1fd3ae5b746ec6330102e)
Reviewed-on: https://go-review.googlesource.com/c/go/+/338551
Trust: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>

src/net/http/httputil/reverseproxy.go		diff \| blob \| history
src/net/http/httputil/reverseproxy_test.go		diff \| blob \| history