Cypherpunks repositories - gostls13.git/commit

author	Damien Neil <dneil@google.com>
	Thu, 22 Sep 2022 20:32:00 +0000 (13:32 -0700)
committer	Damien Neil <dneil@google.com>
	Fri, 23 Sep 2022 21:06:17 +0000 (21:06 +0000)
commit	7c84234142149bd24a4096c6cab691d3593f3431
tree	b62d2c34d19cd0754c0167d29d3dbef93fad02e5	tree
parent	3dcf6e2c29f533865aad58488b60ae8d819a566e	commit \| diff

net/http/httputil: avoid query parameter smuggling

Query parameter smuggling occurs when a proxy's interpretation
of query parameters differs from that of a downstream server.
Change ReverseProxy to avoid forwarding ignored query parameters.

Remove unparsable query parameters from the outbound request

* if req.Form != nil after calling ReverseProxy.Director; and
* before calling ReverseProxy.Rewrite.

This change preserves the existing behavior of forwarding the
raw query untouched if a Director hook does not parse the query
by calling Request.ParseForm (possibly indirectly).

Fixes #54663
Fixes CVE-2022-2880

Change-Id: If1621f6b0e73a49d79059dae9e6b256e0ff18ca9
Reviewed-on: https://go-review.googlesource.com/c/go/+/432976
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Damien Neil <dneil@google.com>

src/net/http/httputil/reverseproxy.go		diff \| blob \| history
src/net/http/httputil/reverseproxy_test.go		diff \| blob \| history