]> Cypherpunks repositories - gostls13.git/commit
projects / gostls13.git / commit
summary | shortlog | log | commit | commitdiff | tree
(parent: 6e8f7b4) | patch
net/http: fix authentication info leakage in Referer header (potential security risk)
authorJens Frederich <jfrederich@gmail.com>
Tue, 7 Oct 2014 14:13:42 +0000 (07:13 -0700)
committerBrad Fitzpatrick <bradfitz@golang.org>
Tue, 7 Oct 2014 14:13:42 +0000 (07:13 -0700)
commitf739b7750853f2d620c78eca9fc14c32e48a14d5
treeb81e18af51ed61694bc4c6edf0d3864a79c848fftree
parent6e8f7b4f3e98deb90c8e2bc183b514c6780cb3a9commit | diff
net/http: fix authentication info leakage in Referer header (potential security risk)

http.Client calls URL.String() to fill in the Referer header, which may
contain authentication info. This patch removes authentication info from
the Referer header without introducing any API changes.

A new test for net/http is also provided.

This is the polished version of Alberto GarcĂ­a Hierro's
https://golang.org/cl/9766046/

It should handle https Referer right.

Fixes #8417

LGTM=bradfitz
R=golang-codereviews, gobot, bradfitz, mikioh.mikioh
CC=golang-codereviews
https://golang.org/cl/151430043
src/net/http/client.go diff | blob | history
src/net/http/client_test.go diff | blob | history
src/net/http/export_test.go diff | blob | history
Go GOST TLS 1.3