From b897e97c36cb62629a458bc681723ca733404e32 Mon Sep 17 00:00:00 2001 From: Neal Patel Date: Wed, 21 May 2025 14:11:44 -0400 Subject: [PATCH] [release-branch.go1.23] net/http: strip sensitive proxy headers from redirect requests Similarly to Authentication entries, Proxy-Authentication entries should be stripped to ensure sensitive information is not leaked on redirects outside of the original domain. https://fetch.spec.whatwg.org/#authentication-entries Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for reporting this issue. Updates golang/go#73816 Fixes golang/go#73905 Fixes CVE-2025-4673 Change-Id: I1615f31977a2fd014fbc12aae43f82692315a6d0 Reviewed-on: https://go-review.googlesource.com/c/go/+/679255 LUCI-TryBot-Result: Go LUCI Reviewed-by: Michael Knyszek --- src/net/http/client.go | 3 ++- src/net/http/client_test.go | 3 +++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/src/net/http/client.go b/src/net/http/client.go index f8892c2bc2..2fe49cb93d 100644 --- a/src/net/http/client.go +++ b/src/net/http/client.go @@ -803,7 +803,8 @@ func (c *Client) makeHeadersCopier(ireq *Request) func(req *Request, stripSensit for k, vv := range ireqhdr { sensitive := false switch CanonicalHeaderKey(k) { - case "Authorization", "Www-Authenticate", "Cookie", "Cookie2": + case "Authorization", "Www-Authenticate", "Cookie", "Cookie2", + "Proxy-Authorization", "Proxy-Authenticate": sensitive = true } if !(sensitive && stripSensitiveHeaders) { diff --git a/src/net/http/client_test.go b/src/net/http/client_test.go index d57096fc22..1f9eebea57 100644 --- a/src/net/http/client_test.go +++ b/src/net/http/client_test.go @@ -1547,6 +1547,8 @@ func testClientStripHeadersOnRepeatedRedirect(t *testing.T, mode testMode) { if r.Host+r.URL.Path != "a.example.com/" { if h := r.Header.Get("Authorization"); h != "" { t.Errorf("on request to %v%v, Authorization=%q, want no header", r.Host, r.URL.Path, h) + } else if h := r.Header.Get("Proxy-Authorization"); h != "" { + t.Errorf("on request to %v%v, Proxy-Authorization=%q, want no header", r.Host, r.URL.Path, h) } } // Follow a chain of redirects from a to b and back to a. @@ -1575,6 +1577,7 @@ func testClientStripHeadersOnRepeatedRedirect(t *testing.T, mode testMode) { req, _ := NewRequest("GET", proto+"://a.example.com/", nil) req.Header.Add("Cookie", "foo=bar") req.Header.Add("Authorization", "secretpassword") + req.Header.Add("Proxy-Authorization", "secretpassword") res, err := c.Do(req) if err != nil { t.Fatal(err) -- 2.50.0