]> Cypherpunks repositories - gostls13.git/commit
projects / gostls13.git / commit
summary | shortlog | log | commit | commitdiff | tree
(parent: c2c89d9) | patch
[release-branch.go1.23] net/http: strip sensitive proxy headers from redirect requests
authorNeal Patel <nealpatel@google.com>
Wed, 21 May 2025 18:11:44 +0000 (14:11 -0400)
committerCarlos Amedee <carlos@golang.org>
Thu, 5 Jun 2025 18:10:16 +0000 (11:10 -0700)
commitb897e97c36cb62629a458bc681723ca733404e32
tree3ccf9d161fe22b6d8908c968d3be98ac1d26fdcatree
parentc2c89d95516d2a6b51aa1766ed5f76e542ab282ccommit | diff
[release-branch.go1.23] net/http: strip sensitive proxy headers from redirect requests

Similarly to Authentication entries, Proxy-Authentication entries should be stripped to ensure sensitive information is not leaked on redirects outside of the original domain.

https://fetch.spec.whatwg.org/#authentication-entries

Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for reporting this issue.

Updates golang/go#73816
Fixes golang/go#73905
Fixes CVE-2025-4673

Change-Id: I1615f31977a2fd014fbc12aae43f82692315a6d0
Reviewed-on: https://go-review.googlesource.com/c/go/+/679255
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Michael Knyszek <mknyszek@google.com>
src/net/http/client.go diff | blob | history
src/net/http/client_test.go diff | blob | history
Go GOST TLS 1.3