• Brad Fitzpatrick's avatar
    net/http, net/http/cgi: fix for CGI + HTTP_PROXY security issue · b97df54c
    Brad Fitzpatrick authored
    Because,
    
    * The CGI spec defines that incoming request header "Foo: Bar" maps to
      environment variable HTTP_FOO == "Bar". (see RFC 3875 4.1.18)
    
    * The HTTP_PROXY environment variable is conventionally used to configure
      the HTTP proxy for HTTP clients (and is respected by default for
      Go's net/http.Client and Transport)
    
    That means Go programs running in a CGI environment (as a child
    process under a CGI host) are vulnerable to an incoming request
    containing "Proxy: attacker.com:1234", setting HTTP_PROXY, and
    changing where Go by default proxies all outbound HTTP requests.
    
    This is CVE-2016-5386, aka https://httpoxy.org/
    
    Fixes #16405
    
    Change-Id: I6f68ade85421b4807785799f6d98a8b077e871f0
    Reviewed-on: https://go-review.googlesource.com/25010
    Run-TryBot: Chris Broadfoot <cbro@golang.org>
    TryBot-Result: Gobot Gobot <gobot@golang.org>
    Reviewed-by: default avatarChris Broadfoot <cbro@golang.org>
    b97df54c
transport.go 60.8 KB