Skip to content

net/http: sensitive headers incorrectly sent after cross-domain redirect [CVE-2024-45336] [1.22 backport] #71210

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
gopherbot opened this issue Jan 9, 2025 · 2 comments
Closed

net/http: sensitive headers incorrectly sent after cross-domain redirect [CVE-2024-45336] [1.22 backport] #71210

gopherbot opened this issue Jan 9, 2025 · 2 comments
Labels
CherryPickApproved Used during the release process for point releases Security
Milestone
Go1.22.11

Comments

@gopherbot
Copy link
Contributor

@neild requested issue #70530 to be considered for backport to the next 1.22 minor release.

@gopherbot please open backport issues for 1.22, 1.23, and 1.24
@gopherbot gopherbot added CherryPickCandidate Used during the release process for point releases Security labels Jan 9, 2025
@gopherbot gopherbot mentioned this issue Jan 9, 2025
Closed
@gopherbot gopherbot added this to the Go1.22.11 milestone Jan 9, 2025
@gopherbot
Copy link
Contributor Author

Change https://go.dev/cl/643106 mentions this issue: [release-branch.go1.22] net/http: persist header stripping across repeated redirects

gopherbot pushed a commit that referenced this issue Jan 16, 2025
@neild @gopherbot
[release-branch.go1.22] net/http: persist header stripping across rep…
b72d56f 
…eated redirects

When an HTTP redirect changes the host of a request, we drop
sensitive headers such as Authorization from the redirected request.
Fix a bug where a chain of redirects could result in sensitive
headers being sent to the wrong host:

  1. request to a.tld with Authorization header
  2. a.tld redirects to b.tld
  3. request to b.tld with no Authorization header
  4. b.tld redirects to b.tld
  3. request to b.tld with Authorization header restored

Thanks to Kyle Seely for reporting this issue.

Fixes #70530
For #71210
Fixes CVE-2024-45336

Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1641
Reviewed-by: Roland Shoemaker <[email protected]>
Reviewed-by: Tatiana Bradley <[email protected]>
Commit-Queue: Roland Shoemaker <[email protected]>
Change-Id: Id7b1e3c90345566b8ee1a51f65dbb179da6eb427
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1765
Reviewed-on: https://go-review.googlesource.com/c/go/+/643106
Reviewed-by: Michael Pratt <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>
Auto-Submit: Michael Knyszek <[email protected]>
@gopherbot
Copy link
Contributor Author

Closed by merging CL 643106 (commit b72d56f) to release-branch.go1.22.

@mknyszek mknyszek changed the title security: fix CVE-2024-45336 [1.22 backport] net/http: sensitive headers incorrectly sent after cross-domain redirect [CVE-2024-45336] [1.22 backport] Jan 16, 2025
@dmitshur dmitshur added CherryPickApproved Used during the release process for point releases and removed CherryPickCandidate Used during the release process for point releases labels Jan 16, 2025
@ncaak ncaak mentioned this issue Jan 27, 2025
Closed
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
CherryPickApproved Used during the release process for point releases Security
Projects
None yet
Milestone
Go1.22.11
Development

No branches or pull requests
2 participants
@dmitshur @gopherbot