net/http: preserve nil values in Header.Clone

ReverseProxy makes a distinction between nil and zero-length header values.
Avoid losing nil-ness when cloning a request.

Thanks to Christian Mehlmauer for discovering this.

Fixes #53423
Fixes CVE-2022-32148

Change-Id: Ice369cdb4712e2d62e25bb881b080847aa4801f5
Reviewed-on: https://go-review.googlesource.com/c/go/+/412857
Reviewed-by: Ian Lance Taylor <iant@google.com>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>

diff --git a/src/net/http/header.go b/src/net/http/header.go
index 6487e5025d718d20ef8994bcd06c634169643034..6437f2d2c07529a35a2268fc0ef7fde404835d5b 100644 (file)
--- a/src/net/http/header.go
+++ b/src/net/http/header.go
@@ -103,6 +103,12 @@ func (h Header) Clone() Header {
        sv := make([]string, nv) // shared backing array for headers' values
        h2 := make(Header, len(h))
        for k, vv := range h {
+               if vv == nil {
+                       // Preserve nil values. ReverseProxy distinguishes
+                       // between nil and zero-length header values.
+                       h2[k] = nil
+                       continue
+               }
                n := copy(sv, vv)
                h2[k] = sv[:n:n]
                sv = sv[n:]

diff --git a/src/net/http/header_test.go b/src/net/http/header_test.go
index 57d16f51a5d62e662847b47fbf33203048c8b8bb..0b13d311aca2a3bd1f7025ceb4513fe7baf93aeb 100644 (file)
--- a/src/net/http/header_test.go
+++ b/src/net/http/header_test.go
@@ -248,6 +248,11 @@ func TestCloneOrMakeHeader(t *testing.T) {
                        in:   Header{"foo": {"bar"}},
                        want: Header{"foo": {"bar"}},
                },
+               {
+                       name: "nil value",
+                       in:   Header{"foo": nil},
+                       want: Header{"foo": nil},
+               },
        }
 
        for _, tt := range tests {