projects / golang-1.15.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 29f17db) | patch
[PATCH] [release-branch.go1.15] net/http/httputil: always remove hop-by-hop headers
authorFilippo Valsorda <filippo@golang.org>
Fri, 21 May 2021 18:02:30 +0000 (14:02 -0400)
committerShengjing Zhu <zhsj@debian.org>
Sat, 5 Jun 2021 11:36:34 +0000 (12:36 +0100)
commita9c71cc3b0f66e7d3757d1ceb30167988d83389c
tree5b8fa7ae3d4c06e37abf6b4e98622063b81f6b3dtree | snapshot
parent29f17db456e9811aa6fc16cc84d496d6ccd28b92commit | diff
[PATCH] [release-branch.go1.15] net/http/httputil: always remove hop-by-hop headers

Previously, we'd fail to remove the Connection header from a request
like this:

    Connection:
    Connection: x-header

Updates #46313
Fixes #46314
Fixes CVE-2021-33197

Change-Id: Ie3009e926ceecfa86dfa6bcc6fe14ff01086be7d
Reviewed-on: https://go-review.googlesource.com/c/go/+/321929
Run-TryBot: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Katie Hockman <katie@golang.org>
Trust: Katie Hockman <katie@golang.org>
Trust: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-on: https://go-review.googlesource.com/c/go/+/323091
Run-TryBot: Katie Hockman <katie@golang.org>

Gbp-Pq: Name 0011-CVE-2021-33197.patch
src/net/http/httputil/reverseproxy.go diff | blob | history
src/net/http/httputil/reverseproxy_test.go diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.