From 85897ca220a149333a88b1e4d63f3b751f1141f5 Mon Sep 17 00:00:00 2001 From: Neal Patel Date: Wed, 21 May 2025 14:11:44 -0400 Subject: [PATCH] [release-branch.go1.24] net/http: strip sensitive proxy headers from redirect requests Similarly to Authentication entries, Proxy-Authentication entries should be stripped to ensure sensitive information is not leaked on redirects outside of the original domain. https://fetch.spec.whatwg.org/#authentication-entries Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for reporting this issue. Updates golang/go#73816 Fixes golang/go#73906 Fixes CVE-2025-4673 Change-Id: I8a0f30d5d6bff6c71689bba6efa0b747947e7eb0 Reviewed-on: https://go-review.googlesource.com/c/go/+/679256 LUCI-TryBot-Result: Go LUCI Reviewed-by: Michael Knyszek --- src/net/http/client.go | 3 ++- src/net/http/client_test.go | 3 +++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/src/net/http/client.go b/src/net/http/client.go index 9231f63e65..a814cf3bdb 100644 --- a/src/net/http/client.go +++ b/src/net/http/client.go @@ -805,7 +805,8 @@ func (c *Client) makeHeadersCopier(ireq *Request) func(req *Request, stripSensit for k, vv := range ireqhdr { sensitive := false switch CanonicalHeaderKey(k) { - case "Authorization", "Www-Authenticate", "Cookie", "Cookie2": + case "Authorization", "Www-Authenticate", "Cookie", "Cookie2", + "Proxy-Authorization", "Proxy-Authenticate": sensitive = true } if !(sensitive && stripSensitiveHeaders) { diff --git a/src/net/http/client_test.go b/src/net/http/client_test.go index 1ce9539528..8ab4f58d64 100644 --- a/src/net/http/client_test.go +++ b/src/net/http/client_test.go @@ -1547,6 +1547,8 @@ func testClientStripHeadersOnRepeatedRedirect(t *testing.T, mode testMode) { if r.Host+r.URL.Path != "a.example.com/" { if h := r.Header.Get("Authorization"); h != "" { t.Errorf("on request to %v%v, Authorization=%q, want no header", r.Host, r.URL.Path, h) + } else if h := r.Header.Get("Proxy-Authorization"); h != "" { + t.Errorf("on request to %v%v, Proxy-Authorization=%q, want no header", r.Host, r.URL.Path, h) } } // Follow a chain of redirects from a to b and back to a. @@ -1575,6 +1577,7 @@ func testClientStripHeadersOnRepeatedRedirect(t *testing.T, mode testMode) { req, _ := NewRequest("GET", proto+"://a.example.com/", nil) req.Header.Add("Cookie", "foo=bar") req.Header.Add("Authorization", "secretpassword") + req.Header.Add("Proxy-Authorization", "secretpassword") res, err := c.Do(req) if err != nil { t.Fatal(err) -- 2.50.0