Commit accf363d authored by Damien Neil's avatar Damien Neil Committed by Filippo Valsorda
Browse files

[release-branch.go1.16] net/http/httputil: close incoming ReverseProxy request body 

Reading from an incoming request body after the request handler aborts
with a panic can cause a panic, becuse http.Server does not (contrary
to its documentation) close the request body in this case.

Always close the incoming request body in ReverseProxy.ServeHTTP to
ensure that any in-flight outgoing requests using the body do not
read from it.

Fixes #47474
Updates #46866
Fixes CVE-2021-36221

Change-Id: I310df269200ad8732c5d9f1a2b00de68725831df
Reviewed-on: https://go-review.googlesource.com/c/go/+/333191


Trust: Damien Neil <dneil@google.com>
Reviewed-by: default avatarBrad Fitzpatrick <bradfitz@golang.org>
Reviewed-by: default avatarFilippo Valsorda <filippo@golang.org>
(cherry picked from commit b7a85e00)
Reviewed-on: https://go-review.googlesource.com/c/go/+/338551


Trust: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: default avatarDamien Neil <dneil@google.com>
parent ae7943e1
Show whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please to comment