Cypherpunks repositories - gostls13.git/commit

author	Damien Neil <dneil@google.com>
	Thu, 22 Sep 2022 20:32:00 +0000 (13:32 -0700)
committer	Dmitri Shuralyov <dmitshur@golang.org>
	Wed, 28 Sep 2022 16:36:28 +0000 (16:36 +0000)
commit	f6d844510d5f1e3b3098eba255d9b633d45eac3b
tree	74f2b270537bf165d442a1ed6cf0ec76796a718f	tree
parent	2614985ef7d252004c8bd2edddb7314446964874	commit \| diff

[release-branch.go1.19] net/http/httputil: avoid query parameter smuggling

Query parameter smuggling occurs when a proxy's interpretation
of query parameters differs from that of a downstream server.
Change ReverseProxy to avoid forwarding ignored query parameters.

Remove unparsable query parameters from the outbound request

* if req.Form != nil after calling ReverseProxy.Director; and
* before calling ReverseProxy.Rewrite.

This change preserves the existing behavior of forwarding the
raw query untouched if a Director hook does not parse the query
by calling Request.ParseForm (possibly indirectly).

Fixes #55843
For #54663
For CVE-2022-2880

Change-Id: If1621f6b0e73a49d79059dae9e6b256e0ff18ca9
Reviewed-on: https://go-review.googlesource.com/c/go/+/432976
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Damien Neil <dneil@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/433735
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>

src/net/http/httputil/reverseproxy.go		diff \| blob \| history
src/net/http/httputil/reverseproxy_test.go		diff \| blob \| history