This project is archived. Its data is read-only.

Commit b7a85e00 authored Jul 07, 2021 by Damien Neil Committed by Filippo Valsorda Jul 30, 2021

net/http/httputil: close incoming ReverseProxy request body

Reading from an incoming request body after the request handler aborts
with a panic can cause a panic, becuse http.Server does not (contrary
to its documentation) close the request body in this case.

Always close the incoming request body in ReverseProxy.ServeHTTP to
ensure that any in-flight outgoing requests using the body do not
read from it.

Updates #46866
Fixes CVE-2021-36221

Change-Id: I310df269200ad8732c5d9f1a2b00de68725831df
Reviewed-on: https://go-review.googlesource.com/c/go/+/333191


Trust: Damien Neil <dneil@google.com>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>

parent 70fd4e47

Show whitespace changes

Inline Side-by-side

CodeLinaro @codelinaro
mentioned in commit ba93baa7
· Feb 10, 2022

mentioned in commit ba93baa7

mentioned in commit ba93baa74a52d57ae79313313ea990cc791ef50e

Toggle commit list
CodeLinaro @codelinaro
mentioned in commit accf363d
· Feb 10, 2022

mentioned in commit accf363d

mentioned in commit accf363d5da864521c90b152fb734f3f15e00521

Toggle commit list

Please to comment