Cypherpunks.ru repositories - gostls13.git/commit

author	Brad Fitzpatrick <bradfitz@golang.org>
	Mon, 18 Jul 2016 06:05:24 +0000 (06:05 +0000)
committer	Chris Broadfoot <cbro@golang.org>
	Mon, 18 Jul 2016 14:58:26 +0000 (14:58 +0000)
commit	b97df54c31d6c4cc2a28a3c83725366d52329223
tree	4fd9352aa2ac883ba215e1cc2394540c3de09281	tree
parent	2837c395526476e31fb15dbb948ed77389cdc75b	commit \| diff

net/http, net/http/cgi: fix for CGI + HTTP_PROXY security issue

Because,

* The CGI spec defines that incoming request header "Foo: Bar" maps to
  environment variable HTTP_FOO == "Bar". (see RFC 3875 4.1.18)

* The HTTP_PROXY environment variable is conventionally used to configure
  the HTTP proxy for HTTP clients (and is respected by default for
  Go's net/http.Client and Transport)

That means Go programs running in a CGI environment (as a child
process under a CGI host) are vulnerable to an incoming request
containing "Proxy: attacker.com:1234", setting HTTP_PROXY, and
changing where Go by default proxies all outbound HTTP requests.

This is CVE-2016-5386, aka https://httpoxy.org/

Fixes #16405

Change-Id: I6f68ade85421b4807785799f6d98a8b077e871f0
Reviewed-on: https://go-review.googlesource.com/25010
Run-TryBot: Chris Broadfoot <cbro@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Chris Broadfoot <cbro@golang.org>

src/net/http/cgi/host.go		diff \| blob \| history
src/net/http/cgi/host_test.go		diff \| blob \| history
src/net/http/transport.go		diff \| blob \| history
src/net/http/transport_test.go		diff \| blob \| history