diff options
Diffstat (limited to 'meta/recipes-devtools/go/go-1.14/CVE-2021-33197.patch')
-rw-r--r-- | meta/recipes-devtools/go/go-1.14/CVE-2021-33197.patch | 152 |
1 files changed, 152 insertions, 0 deletions
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2021-33197.patch b/meta/recipes-devtools/go/go-1.14/CVE-2021-33197.patch new file mode 100644 index 0000000000..2052b1d3db --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/CVE-2021-33197.patch | |||
@@ -0,0 +1,152 @@ | |||
1 | From cbd1ca84453fecf3825a6bb9f985823e8bc32b76 Mon Sep 17 00:00:00 2001 | ||
2 | From: Filippo Valsorda <filippo@golang.org> | ||
3 | Date: Fri, 21 May 2021 14:02:30 -0400 | ||
4 | Subject: [PATCH] [release-branch.go1.15] net/http/httputil: always remove | ||
5 | hop-by-hop headers | ||
6 | |||
7 | Previously, we'd fail to remove the Connection header from a request | ||
8 | like this: | ||
9 | |||
10 | Connection: | ||
11 | Connection: x-header | ||
12 | |||
13 | Updates #46313 | ||
14 | Fixes #46314 | ||
15 | Fixes CVE-2021-33197 | ||
16 | |||
17 | Change-Id: Ie3009e926ceecfa86dfa6bcc6fe14ff01086be7d | ||
18 | Reviewed-on: https://go-review.googlesource.com/c/go/+/321929 | ||
19 | Run-TryBot: Filippo Valsorda <filippo@golang.org> | ||
20 | Reviewed-by: Katie Hockman <katie@golang.org> | ||
21 | Trust: Katie Hockman <katie@golang.org> | ||
22 | Trust: Filippo Valsorda <filippo@golang.org> | ||
23 | TryBot-Result: Go Bot <gobot@golang.org> | ||
24 | Reviewed-on: https://go-review.googlesource.com/c/go/+/323091 | ||
25 | Run-TryBot: Katie Hockman <katie@golang.org> | ||
26 | |||
27 | Upstream-Status: Backport | ||
28 | CVE: CVE-2021-33197 | ||
29 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
30 | |||
31 | --- | ||
32 | src/net/http/httputil/reverseproxy.go | 22 ++++---- | ||
33 | src/net/http/httputil/reverseproxy_test.go | 63 +++++++++++++++++++++- | ||
34 | 2 files changed, 70 insertions(+), 15 deletions(-) | ||
35 | |||
36 | Index: go/src/net/http/httputil/reverseproxy.go | ||
37 | =================================================================== | ||
38 | --- go.orig/src/net/http/httputil/reverseproxy.go | ||
39 | +++ go/src/net/http/httputil/reverseproxy.go | ||
40 | @@ -221,22 +221,18 @@ func (p *ReverseProxy) ServeHTTP(rw http | ||
41 | // important is "Connection" because we want a persistent | ||
42 | // connection, regardless of what the client sent to us. | ||
43 | for _, h := range hopHeaders { | ||
44 | - hv := outreq.Header.Get(h) | ||
45 | - if hv == "" { | ||
46 | - continue | ||
47 | - } | ||
48 | - if h == "Te" && hv == "trailers" { | ||
49 | - // Issue 21096: tell backend applications that | ||
50 | - // care about trailer support that we support | ||
51 | - // trailers. (We do, but we don't go out of | ||
52 | - // our way to advertise that unless the | ||
53 | - // incoming client request thought it was | ||
54 | - // worth mentioning) | ||
55 | - continue | ||
56 | - } | ||
57 | outreq.Header.Del(h) | ||
58 | } | ||
59 | |||
60 | + // Issue 21096: tell backend applications that care about trailer support | ||
61 | + // that we support trailers. (We do, but we don't go out of our way to | ||
62 | + // advertise that unless the incoming client request thought it was worth | ||
63 | + // mentioning.) Note that we look at req.Header, not outreq.Header, since | ||
64 | + // the latter has passed through removeConnectionHeaders. | ||
65 | + if httpguts.HeaderValuesContainsToken(req.Header["Te"], "trailers") { | ||
66 | + outreq.Header.Set("Te", "trailers") | ||
67 | + } | ||
68 | + | ||
69 | // After stripping all the hop-by-hop connection headers above, add back any | ||
70 | // necessary for protocol upgrades, such as for websockets. | ||
71 | if reqUpType != "" { | ||
72 | Index: go/src/net/http/httputil/reverseproxy_test.go | ||
73 | =================================================================== | ||
74 | --- go.orig/src/net/http/httputil/reverseproxy_test.go | ||
75 | +++ go/src/net/http/httputil/reverseproxy_test.go | ||
76 | @@ -91,8 +91,9 @@ func TestReverseProxy(t *testing.T) { | ||
77 | |||
78 | getReq, _ := http.NewRequest("GET", frontend.URL, nil) | ||
79 | getReq.Host = "some-name" | ||
80 | - getReq.Header.Set("Connection", "close") | ||
81 | - getReq.Header.Set("Te", "trailers") | ||
82 | + getReq.Header.Set("Connection", "close, TE") | ||
83 | + getReq.Header.Add("Te", "foo") | ||
84 | + getReq.Header.Add("Te", "bar, trailers") | ||
85 | getReq.Header.Set("Proxy-Connection", "should be deleted") | ||
86 | getReq.Header.Set("Upgrade", "foo") | ||
87 | getReq.Close = true | ||
88 | @@ -236,6 +237,64 @@ func TestReverseProxyStripHeadersPresent | ||
89 | } | ||
90 | } | ||
91 | |||
92 | +func TestReverseProxyStripEmptyConnection(t *testing.T) { | ||
93 | + // See Issue 46313. | ||
94 | + const backendResponse = "I am the backend" | ||
95 | + | ||
96 | + // someConnHeader is some arbitrary header to be declared as a hop-by-hop header | ||
97 | + // in the Request's Connection header. | ||
98 | + const someConnHeader = "X-Some-Conn-Header" | ||
99 | + | ||
100 | + backend := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { | ||
101 | + if c := r.Header.Values("Connection"); len(c) != 0 { | ||
102 | + t.Errorf("handler got header %q = %v; want empty", "Connection", c) | ||
103 | + } | ||
104 | + if c := r.Header.Get(someConnHeader); c != "" { | ||
105 | + t.Errorf("handler got header %q = %q; want empty", someConnHeader, c) | ||
106 | + } | ||
107 | + w.Header().Add("Connection", "") | ||
108 | + w.Header().Add("Connection", someConnHeader) | ||
109 | + w.Header().Set(someConnHeader, "should be deleted") | ||
110 | + io.WriteString(w, backendResponse) | ||
111 | + })) | ||
112 | + defer backend.Close() | ||
113 | + backendURL, err := url.Parse(backend.URL) | ||
114 | + if err != nil { | ||
115 | + t.Fatal(err) | ||
116 | + } | ||
117 | + proxyHandler := NewSingleHostReverseProxy(backendURL) | ||
118 | + frontend := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { | ||
119 | + proxyHandler.ServeHTTP(w, r) | ||
120 | + if c := r.Header.Get(someConnHeader); c != "should be deleted" { | ||
121 | + t.Errorf("handler modified header %q = %q; want %q", someConnHeader, c, "should be deleted") | ||
122 | + } | ||
123 | + })) | ||
124 | + defer frontend.Close() | ||
125 | + | ||
126 | + getReq, _ := http.NewRequest("GET", frontend.URL, nil) | ||
127 | + getReq.Header.Add("Connection", "") | ||
128 | + getReq.Header.Add("Connection", someConnHeader) | ||
129 | + getReq.Header.Set(someConnHeader, "should be deleted") | ||
130 | + res, err := frontend.Client().Do(getReq) | ||
131 | + if err != nil { | ||
132 | + t.Fatalf("Get: %v", err) | ||
133 | + } | ||
134 | + defer res.Body.Close() | ||
135 | + bodyBytes, err := ioutil.ReadAll(res.Body) | ||
136 | + if err != nil { | ||
137 | + t.Fatalf("reading body: %v", err) | ||
138 | + } | ||
139 | + if got, want := string(bodyBytes), backendResponse; got != want { | ||
140 | + t.Errorf("got body %q; want %q", got, want) | ||
141 | + } | ||
142 | + if c := res.Header.Get("Connection"); c != "" { | ||
143 | + t.Errorf("handler got header %q = %q; want empty", "Connection", c) | ||
144 | + } | ||
145 | + if c := res.Header.Get(someConnHeader); c != "" { | ||
146 | + t.Errorf("handler got header %q = %q; want empty", someConnHeader, c) | ||
147 | + } | ||
148 | +} | ||
149 | + | ||
150 | func TestXForwardedFor(t *testing.T) { | ||
151 | const prevForwardedFor = "client ip" | ||
152 | const backendResponse = "I am the backend" | ||