Skip to content

net/http: sensitive headers incorrectly sent after cross-domain redirect [CVE-2024-45336] [1.23 backport] #71211

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
gopherbot opened this issue Jan 9, 2025 · 2 comments
Closed

net/http: sensitive headers incorrectly sent after cross-domain redirect [CVE-2024-45336] [1.23 backport] #71211

gopherbot opened this issue Jan 9, 2025 · 2 comments
Labels
CherryPickApproved Used during the release process for point releases Security
Milestone
Go1.23.5

Comments

@gopherbot
Copy link
Contributor

@neild requested issue #70530 to be considered for backport to the next 1.23 minor release.

@gopherbot please open backport issues for 1.22, 1.23, and 1.24
@gopherbot gopherbot added CherryPickCandidate Used during the release process for point releases Security labels Jan 9, 2025
@gopherbot gopherbot mentioned this issue Jan 9, 2025
Closed
@gopherbot gopherbot added this to the Go1.23.5 milestone Jan 9, 2025
@gopherbot
Copy link
Contributor Author

Change https://go.dev/cl/643104 mentions this issue: [release-branch.go1.23] net/http: persist header stripping across repeated redirects

gopherbot pushed a commit that referenced this issue Jan 16, 2025
@neild @gopherbot
[release-branch.go1.23] net/http: persist header stripping across rep…
bb8230f 
…eated redirects

When an HTTP redirect changes the host of a request, we drop
sensitive headers such as Authorization from the redirected request.
Fix a bug where a chain of redirects could result in sensitive
headers being sent to the wrong host:

  1. request to a.tld with Authorization header
  2. a.tld redirects to b.tld
  3. request to b.tld with no Authorization header
  4. b.tld redirects to b.tld
  3. request to b.tld with Authorization header restored

Thanks to Kyle Seely for reporting this issue.

For #70530
Fixes ##71211
Fixes CVE-2024-45336

Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1641
Reviewed-by: Roland Shoemaker <[email protected]>
Reviewed-by: Tatiana Bradley <[email protected]>
Commit-Queue: Roland Shoemaker <[email protected]>
Change-Id: I326544358de71ff892d9e9fe338252a5dd04001f
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1764
Reviewed-on: https://go-review.googlesource.com/c/go/+/643104
Auto-Submit: Michael Knyszek <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>
Reviewed-by: Michael Pratt <[email protected]>
@gopherbot
Copy link
Contributor Author

Closed by merging CL 643104 (commit bb8230f) to release-branch.go1.23.

@mknyszek mknyszek changed the title security: fix CVE-2024-45336 [1.23 backport] net/http: sensitive headers incorrectly sent after cross-domain redirect [CVE-2024-45336] [1.23 backport] Jan 16, 2025
@dmitshur dmitshur added CherryPickApproved Used during the release process for point releases and removed CherryPickCandidate Used during the release process for point releases labels Jan 16, 2025
@HDYA HDYA mentioned this issue Jan 21, 2025
Merged
mpminardi pushed a commit to tailscale/go that referenced this issue Jan 28, 2025
@neild @mpminardi
[release-branch.go1.23] net/http: persist header stripping across rep…
9d927a5 
…eated redirects

When an HTTP redirect changes the host of a request, we drop
sensitive headers such as Authorization from the redirected request.
Fix a bug where a chain of redirects could result in sensitive
headers being sent to the wrong host:

  1. request to a.tld with Authorization header
  2. a.tld redirects to b.tld
  3. request to b.tld with no Authorization header
  4. b.tld redirects to b.tld
  3. request to b.tld with Authorization header restored

Thanks to Kyle Seely for reporting this issue.

For golang#70530
Fixes #golang#71211
Fixes CVE-2024-45336

Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1641
Reviewed-by: Roland Shoemaker <[email protected]>
Reviewed-by: Tatiana Bradley <[email protected]>
Commit-Queue: Roland Shoemaker <[email protected]>
Change-Id: I326544358de71ff892d9e9fe338252a5dd04001f
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1764
Reviewed-on: https://go-review.googlesource.com/c/go/+/643104
Auto-Submit: Michael Knyszek <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>
Reviewed-by: Michael Pratt <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
CherryPickApproved Used during the release process for point releases Security
Projects
None yet
Milestone
Go1.23.5
Development

No branches or pull requests
2 participants
@dmitshur @gopherbot