CVE-2021-36221
Origin: https://github.com/golang/go/commit/
b7a85e0003cedb1b48a1fd3ae5b746ec6330102e
Reviewed-by: Sylvain Beucler <beuc@debian.org>
Last-Update: 2022-01-21
From
b7a85e0003cedb1b48a1fd3ae5b746ec6330102e Mon Sep 17 00:00:00 2001
From: Damien Neil <dneil@google.com>
Date: Wed, 7 Jul 2021 16:34:34 -0700
Subject: [PATCH] net/http/httputil: close incoming ReverseProxy request body
Reading from an incoming request body after the request handler aborts
with a panic can cause a panic, becuse http.Server does not (contrary
to its documentation) close the request body in this case.
Always close the incoming request body in ReverseProxy.ServeHTTP to
ensure that any in-flight outgoing requests using the body do not
read from it.
Updates #46866
Fixes CVE-2021-36221
Change-Id: I310df269200ad8732c5d9f1a2b00de68725831df
Reviewed-on: https://go-review.googlesource.com/c/go/+/333191
Trust: Damien Neil <dneil@google.com>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Gbp-Pq: Name CVE-2021-36221.patch
projects / golang-1.7.git / commit