• Brad Fitzpatrick's avatar
    net/http, net/http/cgi: fix for CGI + HTTP_PROXY security issue · b97df54c
    Brad Fitzpatrick authored
    Because,
    
    * The CGI spec defines that incoming request header "Foo: Bar" maps to
      environment variable HTTP_FOO == "Bar". (see RFC 3875 4.1.18)
    
    * The HTTP_PROXY environment variable is conventionally used to configure
      the HTTP proxy for HTTP clients (and is respected by default for
      Go's net/http.Client and Transport)
    
    That means Go programs running in a CGI environment (as a child
    process under a CGI host) are vulnerable to an incoming request
    containing "Proxy: attacker.com:1234", setting HTTP_PROXY, and
    changing where Go by default proxies all outbound HTTP requests.
    
    This is CVE-2016-5386, aka https://httpoxy.org/
    
    Fixes #16405
    
    Change-Id: I6f68ade85421b4807785799f6d98a8b077e871f0
    Reviewed-on: https://go-review.googlesource.com/25010
    Run-TryBot: Chris Broadfoot <cbro@golang.org>
    TryBot-Result: Gobot Gobot <gobot@golang.org>
    Reviewed-by: 's avatarChris Broadfoot <cbro@golang.org>
    b97df54c
Name
Last commit
Last update
.github Loading commit data...
api Loading commit data...
doc Loading commit data...
lib/time Loading commit data...
misc Loading commit data...
src Loading commit data...
test Loading commit data...
.gitattributes Loading commit data...
.gitignore Loading commit data...
AUTHORS Loading commit data...
CONTRIBUTING.md Loading commit data...
CONTRIBUTORS Loading commit data...
LICENSE Loading commit data...
PATENTS Loading commit data...
README.md Loading commit data...
favicon.ico Loading commit data...
robots.txt Loading commit data...