Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

net/http: sensitive headers incorrectly sent after cross-domain redirect [CVE-2024-45336] #70530

Closed
neild opened this issue Nov 22, 2024 · 10 comments
Closed

net/http: sensitive headers incorrectly sent after cross-domain redirect [CVE-2024-45336] #70530

neild opened this issue Nov 22, 2024 · 10 comments
Assignees
@neild
Labels
NeedsFix The path to resolution is known, but the work has not been done. Security
Milestone
Go1.24

Comments

@neild
Copy link
Contributor

neild commented Nov 22, 2024
edited by mknyszek
Loading

The HTTP client drops sensitive headers after following a cross-domain redirect.
For example, a request to a.com/ containing an Authorization header which is
redirected to b.com/ will not send that header to b.com.

In the event that the client received a subsequent same-domain redirect, however,
the sensitive headers would be restored. For example, a chain of redirects from
a.com/, to b.com/1, and finally to b.com/2 would incorrectly send the Authorization
header to b.com/2.

Thanks to Kyle Seely for reporting this issue.

This is CVE-2024-45336.

Tracked in http://b/379881954 and fixed by https://go-internal-review.git.corp.google.com/c/go/+/1641.

/cc @golang/security and @golang/release
@neild neild added the Security label Nov 22, 2024
@neild neild self-assigned this Nov 22, 2024
@gabyhelp

This comment has been minimized.

Sign in to view
This was referenced Dec 11, 2024
Closed
Closed
@neild
Copy link
Contributor Author

neild commented Jan 9, 2025

@gopherbot please open backport issues for 1.22, 1.23, and 1.24

@gopherbot gopherbot mentioned this issue Jan 9, 2025
Closed
@gopherbot
Copy link
Contributor

Backport issue(s) opened: #71210 (for 1.22), #71211 (for 1.23), #71212 (for 1.24).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

This was referenced Jan 9, 2025
Closed
Closed
@gabyhelp gabyhelp mentioned this issue Jan 10, 2025
Closed
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/643095 mentions this issue: net/http: persist header stripping across repeated redirects

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/643104 mentions this issue: [release-branch.go1.23] net/http: persist header stripping across repeated redirects

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/643106 mentions this issue: [release-branch.go1.22] net/http: persist header stripping across repeated redirects

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/643100 mentions this issue: net/http: persist header stripping across repeated redirects

gopherbot pushed a commit that referenced this issue Jan 16, 2025
@neild @gopherbot
net/http: persist header stripping across repeated redirects
6783377 
When an HTTP redirect changes the host of a request, we drop
sensitive headers such as Authorization from the redirected request.
Fix a bug where a chain of redirects could result in sensitive
headers being sent to the wrong host:

  1. request to a.tld with Authorization header
  2. a.tld redirects to b.tld
  3. request to b.tld with no Authorization header
  4. b.tld redirects to b.tld
  3. request to b.tld with Authorization header restored

Thanks to Kyle Seely for reporting this issue.

For #70530
Fixes CVE-2024-45336

Change-Id: Ia58a2e10d33d6b0cc7220935e771450e5c34de72
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1641
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Commit-Queue: Roland Shoemaker <bracewell@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/643095
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Michael Pratt <mpratt@google.com>
Auto-Submit: Michael Knyszek <mknyszek@google.com>
gopherbot pushed a commit that referenced this issue Jan 16, 2025
@neild @gopherbot
[release-branch.go1.23] net/http: persist header stripping across rep…
bb8230f 
…eated redirects

When an HTTP redirect changes the host of a request, we drop
sensitive headers such as Authorization from the redirected request.
Fix a bug where a chain of redirects could result in sensitive
headers being sent to the wrong host:

  1. request to a.tld with Authorization header
  2. a.tld redirects to b.tld
  3. request to b.tld with no Authorization header
  4. b.tld redirects to b.tld
  3. request to b.tld with Authorization header restored

Thanks to Kyle Seely for reporting this issue.

For #70530
Fixes ##71211
Fixes CVE-2024-45336

Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1641
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Commit-Queue: Roland Shoemaker <bracewell@google.com>
Change-Id: I326544358de71ff892d9e9fe338252a5dd04001f
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1764
Reviewed-on: https://go-review.googlesource.com/c/go/+/643104
Auto-Submit: Michael Knyszek <mknyszek@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Michael Pratt <mpratt@google.com>
gopherbot pushed a commit that referenced this issue Jan 16, 2025
@neild @gopherbot
[release-branch.go1.22] net/http: persist header stripping across rep…
b72d56f 
…eated redirects

When an HTTP redirect changes the host of a request, we drop
sensitive headers such as Authorization from the redirected request.
Fix a bug where a chain of redirects could result in sensitive
headers being sent to the wrong host:

  1. request to a.tld with Authorization header
  2. a.tld redirects to b.tld
  3. request to b.tld with no Authorization header
  4. b.tld redirects to b.tld
  3. request to b.tld with Authorization header restored

Thanks to Kyle Seely for reporting this issue.

Fixes #70530
For #71210
Fixes CVE-2024-45336

Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1641
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Commit-Queue: Roland Shoemaker <bracewell@google.com>
Change-Id: Id7b1e3c90345566b8ee1a51f65dbb179da6eb427
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1765
Reviewed-on: https://go-review.googlesource.com/c/go/+/643106
Reviewed-by: Michael Pratt <mpratt@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Michael Knyszek <mknyszek@google.com>
gopherbot pushed a commit that referenced this issue Jan 16, 2025
@neild @gopherbot
[release-branch.go1.24] net/http: persist header stripping across rep…
6b60550 
…eated redirects

When an HTTP redirect changes the host of a request, we drop
sensitive headers such as Authorization from the redirected request.
Fix a bug where a chain of redirects could result in sensitive
headers being sent to the wrong host:

  1. request to a.tld with Authorization header
  2. a.tld redirects to b.tld
  3. request to b.tld with no Authorization header
  4. b.tld redirects to b.tld
  3. request to b.tld with Authorization header restored

Thanks to Kyle Seely for reporting this issue.

For #70530
Fixes #71212
Fixes CVE-2024-45336

Change-Id: Ia58a2e10d33d6b0cc7220935e771450e5c34de72
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1641
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Commit-Queue: Roland Shoemaker <bracewell@google.com>
(cherry picked from commit 2889169b87a61f1218a02994feb80fd3d8bfa87c)
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1766
Reviewed-on: https://go-review.googlesource.com/c/go/+/643100
Auto-Submit: Michael Knyszek <mknyszek@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Michael Pratt <mpratt@google.com>
@mknyszek mknyszek changed the title security: fix CVE-2024-45336 net/http: sensitive headers incorrectly sent after cross-domain redirect [CVE-2024-45336] Jan 16, 2025
@dmitshur dmitshur added this to the Go1.24 milestone Jan 16, 2025
@dmitshur dmitshur added the NeedsFix The path to resolution is known, but the work has not been done. label Jan 16, 2025
@dmitshur dmitshur marked this as a duplicate of #71212 Jan 16, 2025
wyf9661 pushed a commit to wyf9661/go that referenced this issue Jan 21, 2025
@neild @wyf9661
[release-branch.go1.24] net/http: persist header stripping across rep…
73348f2 
…eated redirects

When an HTTP redirect changes the host of a request, we drop
sensitive headers such as Authorization from the redirected request.
Fix a bug where a chain of redirects could result in sensitive
headers being sent to the wrong host:

  1. request to a.tld with Authorization header
  2. a.tld redirects to b.tld
  3. request to b.tld with no Authorization header
  4. b.tld redirects to b.tld
  3. request to b.tld with Authorization header restored

Thanks to Kyle Seely for reporting this issue.

For golang#70530
Fixes golang#71212
Fixes CVE-2024-45336

Change-Id: Ia58a2e10d33d6b0cc7220935e771450e5c34de72
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1641
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Commit-Queue: Roland Shoemaker <bracewell@google.com>
(cherry picked from commit 2889169b87a61f1218a02994feb80fd3d8bfa87c)
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1766
Reviewed-on: https://go-review.googlesource.com/c/go/+/643100
Auto-Submit: Michael Knyszek <mknyszek@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Michael Pratt <mpratt@google.com>
@cdupuis
Copy link

cdupuis commented Jan 23, 2025

Hi, thanks for getting this fix out 💪🏽. I was wondering if there's a particular reason for why CVE-2024-45336 (and similarly CVE-2024-45341) is not included in the Go vuln db at https://pkg.go.dev/vuln/ and https://github.com/golang/vulndb?

@malayparida2000
Copy link

@gopherbot please open backport issues for 1.22, 1.23, and 1.24

Is go 1.21 not affected by this issue?

@ianlancetaylor
Copy link
Member

@malayparida2000 Go 1.21 is no longer supported.

mpminardi pushed a commit to tailscale/go that referenced this issue Jan 28, 2025
@neild @mpminardi
[release-branch.go1.23] net/http: persist header stripping across rep…
9d927a5 
…eated redirects

When an HTTP redirect changes the host of a request, we drop
sensitive headers such as Authorization from the redirected request.
Fix a bug where a chain of redirects could result in sensitive
headers being sent to the wrong host:

  1. request to a.tld with Authorization header
  2. a.tld redirects to b.tld
  3. request to b.tld with no Authorization header
  4. b.tld redirects to b.tld
  3. request to b.tld with Authorization header restored

Thanks to Kyle Seely for reporting this issue.

For golang#70530
Fixes #golang#71211
Fixes CVE-2024-45336

Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1641
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Commit-Queue: Roland Shoemaker <bracewell@google.com>
Change-Id: I326544358de71ff892d9e9fe338252a5dd04001f
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1764
Reviewed-on: https://go-review.googlesource.com/c/go/+/643104
Auto-Submit: Michael Knyszek <mknyszek@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Michael Pratt <mpratt@google.com>
Clement-Jean pushed a commit to Clement-Jean/go that referenced this issue Jan 31, 2025
@neild @Clement-Jean
net/http: persist header stripping across repeated redirects
800964e 
When an HTTP redirect changes the host of a request, we drop
sensitive headers such as Authorization from the redirected request.
Fix a bug where a chain of redirects could result in sensitive
headers being sent to the wrong host:

  1. request to a.tld with Authorization header
  2. a.tld redirects to b.tld
  3. request to b.tld with no Authorization header
  4. b.tld redirects to b.tld
  3. request to b.tld with Authorization header restored

Thanks to Kyle Seely for reporting this issue.

For golang#70530
Fixes CVE-2024-45336

Change-Id: Ia58a2e10d33d6b0cc7220935e771450e5c34de72
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1641
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Commit-Queue: Roland Shoemaker <bracewell@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/643095
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Michael Pratt <mpratt@google.com>
Auto-Submit: Michael Knyszek <mknyszek@google.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@neild neild

Labels
NeedsFix The path to resolution is known, but the work has not been done. Security
Projects
None yet
Milestone
Go1.24
Development

No branches or pull requests
8 participants
@neild @cdupuis @mknyszek @dmitshur @ianlancetaylor @gopherbot @malayparida2000 @gabyhelp