net/http: strip sensitive proxy headers from redirect requests

Similarly to Authentication entries, Proxy-Authentication entries should be stripped to ensure sensitive information is not leaked on redirects outside of the original domain.

https://fetch.spec.whatwg.org/#authentication-entries

Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for reporting this issue.

For #73816
Fixes CVE-2025-4673

Change-Id: Ied7b641f6531f1d340ccba3c636d3c30dd5547d9
Reviewed-on: https://go-review.googlesource.com/c/go/+/679257
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Michael Knyszek <mknyszek@google.com>

diff --git a/src/net/http/client.go b/src/net/http/client.go
index 43a7a06bfbb7c4db182d70ebecf40306cf368686..ba095ea1e34e5cdf9450cdf6e6a3282616f09768 100644 (file)
--- a/src/net/http/client.go
+++ b/src/net/http/client.go
@@ -806,7 +806,8 @@ func (c *Client) makeHeadersCopier(ireq *Request) func(req *Request, stripSensit
                for k, vv := range ireqhdr {
                        sensitive := false
                        switch CanonicalHeaderKey(k) {
-                       case "Authorization", "Www-Authenticate", "Cookie", "Cookie2":
+                       case "Authorization", "Www-Authenticate", "Cookie", "Cookie2",
+                               "Proxy-Authorization", "Proxy-Authenticate":
                                sensitive = true
                        }
                        if !(sensitive && stripSensitiveHeaders) {

diff --git a/src/net/http/client_test.go b/src/net/http/client_test.go
index f2e04ca4e82522dee3a6e325b89462d618f6915f..8f88e29ad2470c904ef5e41bf3b9f723df07dad8 100644 (file)
--- a/src/net/http/client_test.go
+++ b/src/net/http/client_test.go
@@ -1550,6 +1550,8 @@ func testClientStripHeadersOnRepeatedRedirect(t *testing.T, mode testMode) {
                if r.Host+r.URL.Path != "a.example.com/" {
                        if h := r.Header.Get("Authorization"); h != "" {
                                t.Errorf("on request to %v%v, Authorization=%q, want no header", r.Host, r.URL.Path, h)
+                       } else if h := r.Header.Get("Proxy-Authorization"); h != "" {
+                               t.Errorf("on request to %v%v, Proxy-Authorization=%q, want no header", r.Host, r.URL.Path, h)
                        }
                }
                // Follow a chain of redirects from a to b and back to a.
@@ -1578,6 +1580,7 @@ func testClientStripHeadersOnRepeatedRedirect(t *testing.T, mode testMode) {
        req, _ := NewRequest("GET", proto+"://a.example.com/", nil)
        req.Header.Add("Cookie", "foo=bar")
        req.Header.Add("Authorization", "secretpassword")
+       req.Header.Add("Proxy-Authorization", "secretpassword")
        res, err := c.Do(req)
        if err != nil {
                t.Fatal(err)