net/http/httputil: remove custom hop-by-hop headers from response in ReverseProxy

Hop-by-hop headers (explicitly mentioned in RFC 2616) were already
removed from the response. This removes the custom hop-by-hop
headers listed in the "Connection" header of the response.

Updates #16875

Change-Id: I6b8f261d38b8d72040722f3ded29755ef0303427
Reviewed-on: https://go-review.googlesource.com/28810
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>

diff --git a/src/net/http/httputil/reverseproxy.go b/src/net/http/httputil/reverseproxy.go
index 2b38e0fdd87d95a690cfd90b01414ba381fe05fe..f8b60b6d335915f6bdbc001789572c2dcc39128f 100644 (file)
--- a/src/net/http/httputil/reverseproxy.go
+++ b/src/net/http/httputil/reverseproxy.go
@@ -156,7 +156,7 @@ func (p *ReverseProxy) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
        // copied above) so we only copy it if necessary.
        copiedHeaders := false
 
-       // Remove headers with the same name as the connection-tokens.
+       // Remove hop-by-hop headers listed in the "Connection" header.
        // See RFC 2616, section 14.10.
        if c := outreq.Header.Get("Connection"); c != "" {
                for _, f := range strings.Split(c, ",") {
@@ -202,6 +202,16 @@ func (p *ReverseProxy) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
                return
        }
 
+       // Remove hop-by-hop headers listed in the
+       // "Connection" header of the response.
+       if c := res.Header.Get("Connection"); c != "" {
+               for _, f := range strings.Split(c, ",") {
+                       if f = strings.TrimSpace(f); f != "" {
+                               res.Header.Del(f)
+                       }
+               }
+       }
+
        for _, h := range hopHeaders {
                res.Header.Del(h)
        }

diff --git a/src/net/http/httputil/reverseproxy_test.go b/src/net/http/httputil/reverseproxy_test.go
index 870df130b1cd47c211285723af532d9fc4b35116..8b5bd797a7eb792e01d506e433a3cf2511c64462 100644 (file)
--- a/src/net/http/httputil/reverseproxy_test.go
+++ b/src/net/http/httputil/reverseproxy_test.go
@@ -148,6 +148,9 @@ func TestReverseProxyStripHeadersPresentInConnection(t *testing.T) {
                if c := r.Header.Get("Upgrade"); c != "" {
                        t.Errorf("handler got header %q = %q; want empty", "Upgrade", c)
                }
+               w.Header().Set("Connection", "Upgrade, "+fakeConnectionToken)
+               w.Header().Set("Upgrade", "should be deleted")
+               w.Header().Set(fakeConnectionToken, "should be deleted")
                io.WriteString(w, backendResponse)
        }))
        defer backend.Close()
@@ -180,6 +183,12 @@ func TestReverseProxyStripHeadersPresentInConnection(t *testing.T) {
        if got, want := string(bodyBytes), backendResponse; got != want {
                t.Errorf("got body %q; want %q", got, want)
        }
+       if c := res.Header.Get("Upgrade"); c != "" {
+               t.Errorf("handler got header %q = %q; want empty", "Upgrade", c)
+       }
+       if c := res.Header.Get(fakeConnectionToken); c != "" {
+               t.Errorf("handler got header %q = %q; want empty", fakeConnectionToken, c)
+       }
 }
 
 func TestXForwardedFor(t *testing.T) {