We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
@neild requested issue #65065 to be considered for backport to the next 1.21 minor release.
@gopherbot please open backport issues for this security fix.
The text was updated successfully, but these errors were encountered:
Change https://go.dev/cl/569239 mentions this issue: [release-branch.go1.21] net/http, net/http/cookiejar: avoid subdomain matches on IPv6 zones
[release-branch.go1.21] net/http, net/http/cookiejar: avoid subdomain matches on IPv6 zones
Sorry, something went wrong.
[release-branch.go1.21] net/http, net/http/cookiejar: avoid subdomain…
20586c0
… matches on IPv6 zones When deciding whether to forward cookies or sensitive headers across a redirect, do not attempt to interpret an IPv6 address as a domain name. Avoids a case where a maliciously-crafted redirect to an IPv6 address with a scoped addressing zone could be misinterpreted as a within-domain redirect. For example, we could interpret "::1%.www.example.com" as a subdomain of "www.example.com". Thanks to Juho Nurminen of Mattermost for reporting this issue. Fixes CVE-2023-45289 Fixes #65385 For #65065 Change-Id: I8f463f59f0e700c8a18733d2b264a8bcb3a19599 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2131938 Reviewed-by: Tatiana Bradley <[email protected]> Reviewed-by: Roland Shoemaker <[email protected]> Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2173775 Reviewed-by: Carlos Amedee <[email protected]> Reviewed-on: https://go-review.googlesource.com/c/go/+/569239 Reviewed-by: Carlos Amedee <[email protected]> Auto-Submit: Michael Knyszek <[email protected]> TryBot-Bypass: Michael Knyszek <[email protected]>
Closed by merging 20586c0 to release-branch.go1.21.
No branches or pull requests
@neild requested issue #65065 to be considered for backport to the next 1.21 minor release.
The text was updated successfully, but these errors were encountered: