mirror
/
go
mirror of https://github.com/golang/go.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
go/src
History
Damien Neil 6783377295 net/http: persist header stripping across repeated redirects 
When an HTTP redirect changes the host of a request, we drop
sensitive headers such as Authorization from the redirected request.
Fix a bug where a chain of redirects could result in sensitive
headers being sent to the wrong host:

  1. request to a.tld with Authorization header
  2. a.tld redirects to b.tld
  3. request to b.tld with no Authorization header
  4. b.tld redirects to b.tld
  3. request to b.tld with Authorization header restored

Thanks to Kyle Seely for reporting this issue.

For #70530
Fixes CVE-2024-45336

Change-Id: Ia58a2e10d33d6b0cc7220935e771450e5c34de72
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1641
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Commit-Queue: Roland Shoemaker <bracewell@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/643095
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Michael Pratt <mpratt@google.com>
Auto-Submit: Michael Knyszek <mknyszek@google.com>
 		2025-01-16 10:58:54 -08:00
..
archive
arena
bufio bufio: make the description of Peek's behavior better 2024-12-09 16:30:42 +00:00
builtin builtin: use list instead of indentation for comments in cap, len, and make 2024-12-30 15:59:23 -08:00
bytes bytes, strings: add cross-references in docstrings 2024-12-17 11:08:32 -08:00
cmd cmd/go/internal/modfetch: do not trust server to send all tags in shallow fetch 2025-01-14 10:07:07 -08:00
cmp
compress
container
context context: use "canceled" in docs to refer to timed-out contexts 2025-01-03 14:30:13 -08:00
crypto crypto/internal/fips140test: add hmac DRBG ACVP tests 2025-01-10 14:12:31 -08:00
database/sql
debug debug/elf: adjust version API per issue discussion 2024-12-17 13:28:29 -08:00
embed embed: document exclusions more explicitly 2024-12-05 17:20:19 +00:00
encoding encoding/json: cleanup tests 2025-01-14 14:54:07 -08:00
errors
expvar
flag
fmt fmt, strconv: document that exponent is always two digits 2024-12-17 07:54:13 -08:00
go go/types, types2: don't panic when instantiating generic alias with wrong number of type arguments 2025-01-13 10:30:43 -08:00
hash hash/maphash, cmd/compile: make Comparable[string] not escape its argument 2024-12-02 21:27:06 +00:00
html html/template: escape script tags in JS errors case insensitively 2024-12-10 19:03:42 +00:00
image internal/byteorder: use canonical Go casing in names 2024-11-20 20:59:28 +00:00
index/suffixarray
internal internal/runtime/maps: re-enable some tests 2025-01-14 09:55:06 -08:00
io io: simplify tests by removing redundant statements 2024-11-05 19:52:23 +00:00
iter iter: improve documentation with iterator example 2024-12-27 05:44:33 -08:00
log log/slog: make DiscardHandler example package-level 2024-12-11 13:06:33 -08:00
maps all: fix some function names and typos in comment 2024-11-21 22:16:20 +00:00
math math/bits: update reference to debruijn paper 2024-12-04 22:15:36 +00:00
mime mime: disable TestLookupMallocs with ASAN 2024-11-19 02:54:28 +00:00
net net/http: persist header stripping across repeated redirects 2025-01-16 10:58:54 -08:00
os os: mention fsys modifications during CopyFS 2024-12-30 12:23:28 -08:00
path internal/copyright: add test that copyright notices exist 2024-11-21 16:12:09 +00:00
plugin
reflect reflect: consistently document when value must be settable 2024-12-11 04:00:12 +00:00
regexp
runtime internal/runtime/maps: re-enable some tests 2025-01-14 09:55:06 -08:00
slices slices: document two oddities 2024-12-21 08:22:08 -08:00
sort sort: add examples for SearchStrings, SliceIsSorted 2024-12-03 17:07:42 +00:00
strconv fmt, strconv: document that exponent is always two digits 2024-12-17 07:54:13 -08:00
strings bytes, strings: add cross-references in docstrings 2024-12-17 11:08:32 -08:00
structs
sync sync: document RWMutex locks cannot be upgraded / downgraded 2024-12-04 02:44:30 +00:00
syscall syscall/js: adjust comments to that gofmt does not change them 2025-01-13 11:11:07 -08:00
testdata
testing testing/fstest: fix function name and comment 2025-01-14 09:43:06 -08:00
text text/template: don't crash piping to call with no arguments 2024-11-18 16:24:22 +00:00
time internal/synctest: new package for testing concurrent code 2024-11-19 19:40:40 +00:00
unicode
unique unique: fix typo 2024-12-30 08:59:20 -08:00
unsafe
vendor all: update vendored dependencies [generated] 2024-12-06 18:34:31 +00:00
weak weak: don't panic when calling Value on a zero Pointer 2025-01-07 10:08:42 -08:00
Make.dist
README.vendor
all.bash
all.bat
all.rc
bootstrap.bash
buildall.bash
clean.bash
clean.bat
clean.rc
cmp.bash
go.mod all: update vendored dependencies [generated] 2024-12-06 18:34:31 +00:00
go.sum all: update vendored dependencies [generated] 2024-12-06 18:34:31 +00:00
make.bash
make.bat
make.rc make.rc: correct test for undefined GOROOT_BOOTSTRAP 2024-11-14 18:02:59 +00:00
race.bash
race.bat
run.bash
run.bat
run.rc

README.vendor 

Vendoring in std and cmd
========================

The Go command maintains copies of external packages needed by the
standard library in the src/vendor and src/cmd/vendor directories.

There are two modules, std and cmd, defined in src/go.mod and
src/cmd/go.mod. When a package outside std or cmd is imported
by a package inside std or cmd, the import path is interpreted
as if it had a "vendor/" prefix. For example, within "crypto/tls",
an import of "golang.org/x/crypto/cryptobyte" resolves to
"vendor/golang.org/x/crypto/cryptobyte". When a package with the
same path is imported from a package outside std or cmd, it will
be resolved normally. Consequently, a binary may be built with two
copies of a package at different versions if the package is
imported normally and vendored by the standard library.

Vendored packages are internally renamed with a "vendor/" prefix
to preserve the invariant that all packages have distinct paths.
This is necessary to avoid compiler and linker conflicts. Adding
a "vendor/" prefix also maintains the invariant that standard
library packages begin with a dotless path element.

The module requirements of std and cmd do not influence version
selection in other modules. They are only considered when running
module commands like 'go get' and 'go mod vendor' from a directory
in GOROOT/src.

Maintaining vendor directories
==============================

Before updating vendor directories, ensure that module mode is enabled.
Make sure that GO111MODULE is not set in the environment, or that it is
set to 'on' or 'auto', and if you use a go.work file, set GOWORK=off.

Also, ensure that 'go env GOROOT' shows the root of this Go source
tree. Otherwise, the results are undefined. It's recommended to build
Go from source and use that 'go' binary to update its source tree.

Requirements may be added, updated, and removed with 'go get'.
The vendor directory may be updated with 'go mod vendor'.
A typical sequence might be:

    cd src  # or src/cmd
    go get golang.org/x/net@master
    go mod tidy
    go mod vendor

Use caution when passing '-u' to 'go get'. The '-u' flag updates
modules providing all transitively imported packages, not only
the module providing the target package.

Note that 'go mod vendor' only copies packages that are transitively
imported by packages in the current module. If a new package is needed,
it should be imported before running 'go mod vendor'.