1 files changed, 152 insertions, 0 deletions
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2021-33197.patch b/meta/recipes-devtools/go/go-1.14/CVE-2021-33197.patch
new file mode 100644
index 0000000000..2052b1d3db
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2021-33197.patch
@@ -0,0 +1,152 @@
+From cbd1ca84453fecf3825a6bb9f985823e8bc32b76 Mon Sep 17 00:00:00 2001
+From: Filippo Valsorda <filippo@golang.org>
+Date: Fri, 21 May 2021 14:02:30 -0400
+Subject: [PATCH] [release-branch.go1.15] net/http/httputil: always remove
+ hop-by-hop headers
+Previously, we'd fail to remove the Connection header from a request
+like this:
+    Connection:
+    Connection: x-header
+Updates #46313
+Fixes #46314
+Fixes CVE-2021-33197
+Change-Id: Ie3009e926ceecfa86dfa6bcc6fe14ff01086be7d
+Reviewed-on: https://go-review.googlesource.com/c/go/+/321929
+Run-TryBot: Filippo Valsorda <filippo@golang.org>
+Reviewed-by: Katie Hockman <katie@golang.org>
+Trust: Katie Hockman <katie@golang.org>
+Trust: Filippo Valsorda <filippo@golang.org>
+TryBot-Result: Go Bot <gobot@golang.org>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/323091
+Run-TryBot: Katie Hockman <katie@golang.org>
+Upstream-Status: Backport
+CVE: CVE-2021-33197
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ src/net/http/httputil/reverseproxy.go      | 22 ++++----
+ src/net/http/httputil/reverseproxy_test.go | 63 +++++++++++++++++++++-
+ 2 files changed, 70 insertions(+), 15 deletions(-)
+Index: go/src/net/http/httputil/reverseproxy.go
+===================================================================
+--- go.orig/src/net/http/httputil/reverseproxy.go
+++ go/src/net/http/httputil/reverseproxy.go
+@@ -221,22 +221,18 @@ func (p *ReverseProxy) ServeHTTP(rw http
+        // important is "Connection" because we want a persistent
+        // connection, regardless of what the client sent to us.
+        for _, h := range hopHeaders {
+-               hv := outreq.Header.Get(h)
+-               if hv == "" {
+-                       continue
+-               }
+-               if h == "Te" && hv == "trailers" {
+-                       // Issue 21096: tell backend applications that
+-                       // care about trailer support that we support
+-                       // trailers. (We do, but we don't go out of
+-                       // our way to advertise that unless the
+-                       // incoming client request thought it was
+-                       // worth mentioning)
+-                       continue
+-               }
+                outreq.Header.Del(h)
+        }
+ 
+       // Issue 21096: tell backend applications that care about trailer support
+       // that we support trailers. (We do, but we don't go out of our way to
+       // advertise that unless the incoming client request thought it was worth
+       // mentioning.) Note that we look at req.Header, not outreq.Header, since
+       // the latter has passed through removeConnectionHeaders.
+       if httpguts.HeaderValuesContainsToken(req.Header["Te"], "trailers") {
+               outreq.Header.Set("Te", "trailers")
+       }
+
+        // After stripping all the hop-by-hop connection headers above, add back any
+        // necessary for protocol upgrades, such as for websockets.
+        if reqUpType != "" {
+Index: go/src/net/http/httputil/reverseproxy_test.go
+===================================================================
+--- go.orig/src/net/http/httputil/reverseproxy_test.go
+++ go/src/net/http/httputil/reverseproxy_test.go
+@@ -91,8 +91,9 @@ func TestReverseProxy(t *testing.T) {
+ 
+        getReq, _ := http.NewRequest("GET", frontend.URL, nil)
+        getReq.Host = "some-name"
+-       getReq.Header.Set("Connection", "close")
+-       getReq.Header.Set("Te", "trailers")
+       getReq.Header.Set("Connection", "close, TE")
+       getReq.Header.Add("Te", "foo")
+       getReq.Header.Add("Te", "bar, trailers")
+        getReq.Header.Set("Proxy-Connection", "should be deleted")
+        getReq.Header.Set("Upgrade", "foo")
+        getReq.Close = true
+@@ -236,6 +237,64 @@ func TestReverseProxyStripHeadersPresent
+        }
+ }
+ 
+func TestReverseProxyStripEmptyConnection(t *testing.T) {
+       // See Issue 46313.
+       const backendResponse = "I am the backend"
+
+       // someConnHeader is some arbitrary header to be declared as a hop-by-hop header
+       // in the Request's Connection header.
+       const someConnHeader = "X-Some-Conn-Header"
+
+       backend := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+               if c := r.Header.Values("Connection"); len(c) != 0 {
+                       t.Errorf("handler got header %q = %v; want empty", "Connection", c)
+               }
+               if c := r.Header.Get(someConnHeader); c != "" {
+                       t.Errorf("handler got header %q = %q; want empty", someConnHeader, c)
+               }
+               w.Header().Add("Connection", "")
+               w.Header().Add("Connection", someConnHeader)
+               w.Header().Set(someConnHeader, "should be deleted")
+               io.WriteString(w, backendResponse)
+       }))
+       defer backend.Close()
+       backendURL, err := url.Parse(backend.URL)
+       if err != nil {
+               t.Fatal(err)
+       }
+       proxyHandler := NewSingleHostReverseProxy(backendURL)
+       frontend := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+               proxyHandler.ServeHTTP(w, r)
+               if c := r.Header.Get(someConnHeader); c != "should be deleted" {
+                       t.Errorf("handler modified header %q = %q; want %q", someConnHeader, c, "should be deleted")
+               }
+       }))
+       defer frontend.Close()
+
+       getReq, _ := http.NewRequest("GET", frontend.URL, nil)
+       getReq.Header.Add("Connection", "")
+       getReq.Header.Add("Connection", someConnHeader)
+       getReq.Header.Set(someConnHeader, "should be deleted")
+       res, err := frontend.Client().Do(getReq)
+       if err != nil {
+               t.Fatalf("Get: %v", err)
+       }
+       defer res.Body.Close()
+       bodyBytes, err := ioutil.ReadAll(res.Body)
+       if err != nil {
+               t.Fatalf("reading body: %v", err)
+       }
+       if got, want := string(bodyBytes), backendResponse; got != want {
+               t.Errorf("got body %q; want %q", got, want)
+       }
+       if c := res.Header.Get("Connection"); c != "" {
+               t.Errorf("handler got header %q = %q; want empty", "Connection", c)
+       }
+       if c := res.Header.Get(someConnHeader); c != "" {
+               t.Errorf("handler got header %q = %q; want empty", someConnHeader, c)
+       }
+}
+
+ func TestXForwardedFor(t *testing.T) {
+        const prevForwardedFor = "client ip"
+        const backendResponse = "I am the backend"

diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2021-33197.patch b/meta/recipes-devtools/go/go-1.14/CVE-2021-33197.patch new file mode 100644 index 0000000000..2052b1d3db --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/CVE-2021-33197.patch
@@ -0,0 +1,152 @@
	1	From cbd1ca84453fecf3825a6bb9f985823e8bc32b76 Mon Sep 17 00:00:00 2001
	2	From: Filippo Valsorda <filippo@golang.org>
	3	Date: Fri, 21 May 2021 14:02:30 -0400
	4	Subject: [PATCH] [release-branch.go1.15] net/http/httputil: always remove
	5	hop-by-hop headers
	6
	7	Previously, we'd fail to remove the Connection header from a request
	8	like this:
	9
	10	Connection:
	11	Connection: x-header
	12
	13	Updates #46313
	14	Fixes #46314
	15	Fixes CVE-2021-33197
	16
	17	Change-Id: Ie3009e926ceecfa86dfa6bcc6fe14ff01086be7d
	18	Reviewed-on: https://go-review.googlesource.com/c/go/+/321929
	19	Run-TryBot: Filippo Valsorda <filippo@golang.org>
	20	Reviewed-by: Katie Hockman <katie@golang.org>
	21	Trust: Katie Hockman <katie@golang.org>
	22	Trust: Filippo Valsorda <filippo@golang.org>
	23	TryBot-Result: Go Bot <gobot@golang.org>
	24	Reviewed-on: https://go-review.googlesource.com/c/go/+/323091
	25	Run-TryBot: Katie Hockman <katie@golang.org>
	26
	27	Upstream-Status: Backport
	28	CVE: CVE-2021-33197
	29	Signed-off-by: Armin Kuster <akuster@mvista.com>
	30
	31	---
	32	src/net/http/httputil/reverseproxy.go \| 22 ++++----
	33	src/net/http/httputil/reverseproxy_test.go \| 63 +++++++++++++++++++++-
	34	2 files changed, 70 insertions(+), 15 deletions(-)
	35
	36	Index: go/src/net/http/httputil/reverseproxy.go
	37	===================================================================
	38	--- go.orig/src/net/http/httputil/reverseproxy.go
	39	+++ go/src/net/http/httputil/reverseproxy.go
	40	@@ -221,22 +221,18 @@ func (p *ReverseProxy) ServeHTTP(rw http
	41	// important is "Connection" because we want a persistent
	42	// connection, regardless of what the client sent to us.
	43	for _, h := range hopHeaders {
	44	- hv := outreq.Header.Get(h)
	45	- if hv == "" {
	46	- continue
	47	- }
	48	- if h == "Te" && hv == "trailers" {
	49	- // Issue 21096: tell backend applications that
	50	- // care about trailer support that we support
	51	- // trailers. (We do, but we don't go out of
	52	- // our way to advertise that unless the
	53	- // incoming client request thought it was
	54	- // worth mentioning)
	55	- continue
	56	- }
	57	outreq.Header.Del(h)
	58	}
	59
	60	+ // Issue 21096: tell backend applications that care about trailer support
	61	+ // that we support trailers. (We do, but we don't go out of our way to
	62	+ // advertise that unless the incoming client request thought it was worth
	63	+ // mentioning.) Note that we look at req.Header, not outreq.Header, since
	64	+ // the latter has passed through removeConnectionHeaders.
	65	+ if httpguts.HeaderValuesContainsToken(req.Header["Te"], "trailers") {
	66	+ outreq.Header.Set("Te", "trailers")
	67	+ }
	68	+
	69	// After stripping all the hop-by-hop connection headers above, add back any
	70	// necessary for protocol upgrades, such as for websockets.
	71	if reqUpType != "" {
	72	Index: go/src/net/http/httputil/reverseproxy_test.go
	73	===================================================================
	74	--- go.orig/src/net/http/httputil/reverseproxy_test.go
	75	+++ go/src/net/http/httputil/reverseproxy_test.go
	76	@@ -91,8 +91,9 @@ func TestReverseProxy(t *testing.T) {
	77
	78	getReq, _ := http.NewRequest("GET", frontend.URL, nil)
	79	getReq.Host = "some-name"
	80	- getReq.Header.Set("Connection", "close")
	81	- getReq.Header.Set("Te", "trailers")
	82	+ getReq.Header.Set("Connection", "close, TE")
	83	+ getReq.Header.Add("Te", "foo")
	84	+ getReq.Header.Add("Te", "bar, trailers")
	85	getReq.Header.Set("Proxy-Connection", "should be deleted")
	86	getReq.Header.Set("Upgrade", "foo")
	87	getReq.Close = true
	88	@@ -236,6 +237,64 @@ func TestReverseProxyStripHeadersPresent
	89	}
	90	}
	91
	92	+func TestReverseProxyStripEmptyConnection(t *testing.T) {
	93	+ // See Issue 46313.
	94	+ const backendResponse = "I am the backend"
	95	+
	96	+ // someConnHeader is some arbitrary header to be declared as a hop-by-hop header
	97	+ // in the Request's Connection header.
	98	+ const someConnHeader = "X-Some-Conn-Header"
	99	+
	100	+ backend := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
	101	+ if c := r.Header.Values("Connection"); len(c) != 0 {
	102	+ t.Errorf("handler got header %q = %v; want empty", "Connection", c)
	103	+ }
	104	+ if c := r.Header.Get(someConnHeader); c != "" {
	105	+ t.Errorf("handler got header %q = %q; want empty", someConnHeader, c)
	106	+ }
	107	+ w.Header().Add("Connection", "")
	108	+ w.Header().Add("Connection", someConnHeader)
	109	+ w.Header().Set(someConnHeader, "should be deleted")
	110	+ io.WriteString(w, backendResponse)
	111	+ }))
	112	+ defer backend.Close()
	113	+ backendURL, err := url.Parse(backend.URL)
	114	+ if err != nil {
	115	+ t.Fatal(err)
	116	+ }
	117	+ proxyHandler := NewSingleHostReverseProxy(backendURL)
	118	+ frontend := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
	119	+ proxyHandler.ServeHTTP(w, r)
	120	+ if c := r.Header.Get(someConnHeader); c != "should be deleted" {
	121	+ t.Errorf("handler modified header %q = %q; want %q", someConnHeader, c, "should be deleted")
	122	+ }
	123	+ }))
	124	+ defer frontend.Close()
	125	+
	126	+ getReq, _ := http.NewRequest("GET", frontend.URL, nil)
	127	+ getReq.Header.Add("Connection", "")
	128	+ getReq.Header.Add("Connection", someConnHeader)
	129	+ getReq.Header.Set(someConnHeader, "should be deleted")
	130	+ res, err := frontend.Client().Do(getReq)
	131	+ if err != nil {
	132	+ t.Fatalf("Get: %v", err)
	133	+ }
	134	+ defer res.Body.Close()
	135	+ bodyBytes, err := ioutil.ReadAll(res.Body)
	136	+ if err != nil {
	137	+ t.Fatalf("reading body: %v", err)
	138	+ }
	139	+ if got, want := string(bodyBytes), backendResponse; got != want {
	140	+ t.Errorf("got body %q; want %q", got, want)
	141	+ }
	142	+ if c := res.Header.Get("Connection"); c != "" {
	143	+ t.Errorf("handler got header %q = %q; want empty", "Connection", c)
	144	+ }
	145	+ if c := res.Header.Get(someConnHeader); c != "" {
	146	+ t.Errorf("handler got header %q = %q; want empty", someConnHeader, c)
	147	+ }
	148	+}
	149	+
	150	func TestXForwardedFor(t *testing.T) {
	151	const prevForwardedFor = "client ip"
	152	const backendResponse = "I am the backend"