dgit.raspbian.org Git - golang-1.11.git/commit

author	Go Compiler Team <team+go-compiler@tracker.debian.org>
	Thu, 20 Apr 2023 14:32:58 +0000 (15:32 +0100)
committer	Sylvain Beucler <beuc@debian.org>
	Thu, 20 Apr 2023 14:32:58 +0000 (15:32 +0100)
commit	c62e09ec478d217adf4d4041adb535f33950e75b
tree	b7df0ac3f6c511bee9e6d43ad0a02caa33a73ae0	tree \| snapshot
parent	bb2a9578c26f03a11456721b94e565babb58935b	commit \| diff

CVE-2021-36221

Origin: https://github.com/golang/go/commit/ba93baa74a52d57ae79313313ea990cc791ef50e
Reviewed-by: Sylvain Beucler <beuc@debian.org>
Last-Update: 2023-04-15

From ba93baa74a52d57ae79313313ea990cc791ef50e Mon Sep 17 00:00:00 2001
From: Damien Neil <dneil@google.com>
Date: Wed, 7 Jul 2021 16:34:34 -0700
Subject: [PATCH] [release-branch.go1.15] net/http/httputil: close incoming
ReverseProxy request body

Reading from an incoming request body after the request handler aborts
with a panic can cause a panic, becuse http.Server does not (contrary
to its documentation) close the request body in this case.

Always close the incoming request body in ReverseProxy.ServeHTTP to
ensure that any in-flight outgoing requests using the body do not
read from it.

Fixes #47473
Updates #46866
Fixes CVE-2021-36221

Change-Id: I310df269200ad8732c5d9f1a2b00de68725831df
Reviewed-on: https://go-review.googlesource.com/c/go/+/333191
Trust: Damien Neil <dneil@google.com>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
(cherry picked from commit b7a85e0003cedb1b48a1fd3ae5b746ec6330102e)
Reviewed-on: https://go-review.googlesource.com/c/go/+/338550
Trust: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
Gbp-Pq: Name CVE-2021-36221.patch

src/net/http/httputil/reverseproxy.go		diff \| blob \| history
src/net/http/httputil/reverseproxy_test.go		diff \| blob \| history