[release-branch.go1.24] net/http: strip sensitive proxy headers from redirect requests

Similarly to Authentication entries, Proxy-Authentication entries should be stripped to ensure sensitive information is not leaked on redirects outside of the original domain.

https://fetch.spec.whatwg.org/#authentication-entries

Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for reporting this issue.

Updates golang/go#73816
Fixes golang/go#73906
Fixes CVE-2025-4673

Change-Id: I8a0f30d5d6bff6c71689bba6efa0b747947e7eb0
Reviewed-on: https://go-review.googlesource.com/c/go/+/679256
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Michael Knyszek <mknyszek@google.com>

diff --git a/src/net/http/client.go b/src/net/http/client.go
index 9231f63e65b134cf5302c66e59c7ae09c23db93f..a814cf3bdbcbf09729572f9b56e5760bc6742ddc 100644 (file)
--- a/src/net/http/client.go
+++ b/src/net/http/client.go
@@ -805,7 +805,8 @@ func (c *Client) makeHeadersCopier(ireq *Request) func(req *Request, stripSensit
                for k, vv := range ireqhdr {
                        sensitive := false
                        switch CanonicalHeaderKey(k) {
-                       case "Authorization", "Www-Authenticate", "Cookie", "Cookie2":
+                       case "Authorization", "Www-Authenticate", "Cookie", "Cookie2",
+                               "Proxy-Authorization", "Proxy-Authenticate":
                                sensitive = true
                        }
                        if !(sensitive && stripSensitiveHeaders) {

diff --git a/src/net/http/client_test.go b/src/net/http/client_test.go
index 1ce9539528c668dae535cf8e3bcec3dca60e951e..8ab4f58d64ce2eb6586818ed19ab75fa02a0f867 100644 (file)
--- a/src/net/http/client_test.go
+++ b/src/net/http/client_test.go
@@ -1547,6 +1547,8 @@ func testClientStripHeadersOnRepeatedRedirect(t *testing.T, mode testMode) {
                if r.Host+r.URL.Path != "a.example.com/" {
                        if h := r.Header.Get("Authorization"); h != "" {
                                t.Errorf("on request to %v%v, Authorization=%q, want no header", r.Host, r.URL.Path, h)
+                       } else if h := r.Header.Get("Proxy-Authorization"); h != "" {
+                               t.Errorf("on request to %v%v, Proxy-Authorization=%q, want no header", r.Host, r.URL.Path, h)
                        }
                }
                // Follow a chain of redirects from a to b and back to a.
@@ -1575,6 +1577,7 @@ func testClientStripHeadersOnRepeatedRedirect(t *testing.T, mode testMode) {
        req, _ := NewRequest("GET", proto+"://a.example.com/", nil)
        req.Header.Add("Cookie", "foo=bar")
        req.Header.Add("Authorization", "secretpassword")
+       req.Header.Add("Proxy-Authorization", "secretpassword")
        res, err := c.Do(req)
        if err != nil {
                t.Fatal(err)