net/http, net/http/cookiejar: incorrect forwarding of sensitive headers and cookies on HTTP redirect [CVE-2023-45289] #65065

neild · 2024-01-11T19:39:17Z

When following an HTTP redirect to a domain which is not a subdomain match or exact match of the initial domain, an http.Client does not forward sensitive headers such as "Authorization" or "Cookie". For example, a redirect from foo.com to www.foo.com will forward the Authorization header, but a redirect to bar.com will not.

A maliciously crafted HTTP redirect could cause sensitive headers to be unexpectedly forwarded.

Thanks to Juho Nurminen of Mattermost for reporting this issue. This is CVE-2023-45289.

/cc @golang/security and @golang/release

neild · 2024-01-30T22:13:56Z

@gopherbot please open backport issues for this security fix.

gopherbot · 2024-01-30T22:14:05Z

Backport issue(s) opened: #65384 (for 1.20), #65385 (for 1.21).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

gopherbot · 2024-03-05T15:59:50Z

Change https://go.dev/cl/569236 mentions this issue: [release-branch.go1.22] net/http, net/http/cookiejar: avoid subdomain matches on IPv6 zones

gopherbot · 2024-03-05T15:59:51Z

Change https://go.dev/cl/569239 mentions this issue: [release-branch.go1.21] net/http, net/http/cookiejar: avoid subdomain matches on IPv6 zones

… matches on IPv6 zones When deciding whether to forward cookies or sensitive headers across a redirect, do not attempt to interpret an IPv6 address as a domain name. Avoids a case where a maliciously-crafted redirect to an IPv6 address with a scoped addressing zone could be misinterpreted as a within-domain redirect. For example, we could interpret "::1%.www.example.com" as a subdomain of "www.example.com". Thanks to Juho Nurminen of Mattermost for reporting this issue. Fixes CVE-2023-45289 Fixes #65859 For #65065 Change-Id: I8f463f59f0e700c8a18733d2b264a8bcb3a19599 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2131938 Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Reviewed-by: Roland Shoemaker <bracewell@google.com> Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2174344 Reviewed-by: Carlos Amedee <amedee@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/569236 Reviewed-by: Carlos Amedee <carlos@golang.org> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Auto-Submit: Michael Knyszek <mknyszek@google.com>

… matches on IPv6 zones When deciding whether to forward cookies or sensitive headers across a redirect, do not attempt to interpret an IPv6 address as a domain name. Avoids a case where a maliciously-crafted redirect to an IPv6 address with a scoped addressing zone could be misinterpreted as a within-domain redirect. For example, we could interpret "::1%.www.example.com" as a subdomain of "www.example.com". Thanks to Juho Nurminen of Mattermost for reporting this issue. Fixes CVE-2023-45289 Fixes #65385 For #65065 Change-Id: I8f463f59f0e700c8a18733d2b264a8bcb3a19599 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2131938 Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Reviewed-by: Roland Shoemaker <bracewell@google.com> Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2173775 Reviewed-by: Carlos Amedee <amedee@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/569239 Reviewed-by: Carlos Amedee <carlos@golang.org> Auto-Submit: Michael Knyszek <mknyszek@google.com> TryBot-Bypass: Michael Knyszek <mknyszek@google.com>

… matches on IPv6 zones When deciding whether to forward cookies or sensitive headers across a redirect, do not attempt to interpret an IPv6 address as a domain name. Avoids a case where a maliciously-crafted redirect to an IPv6 address with a scoped addressing zone could be misinterpreted as a within-domain redirect. For example, we could interpret "::1%.www.example.com" as a subdomain of "www.example.com". Thanks to Juho Nurminen of Mattermost for reporting this issue. Fixes CVE-2023-45289 Fixes golang#65859 For golang#65065 Change-Id: I8f463f59f0e700c8a18733d2b264a8bcb3a19599 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2131938 Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Reviewed-by: Roland Shoemaker <bracewell@google.com> Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2174344 Reviewed-by: Carlos Amedee <amedee@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/569236 Reviewed-by: Carlos Amedee <carlos@golang.org> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Auto-Submit: Michael Knyszek <mknyszek@google.com>

gopherbot · 2024-03-05T18:11:55Z

Change https://go.dev/cl/569340 mentions this issue: net/http, net/http/cookiejar: avoid subdomain matches on IPv6 zones

… matches on IPv6 zones When deciding whether to forward cookies or sensitive headers across a redirect, do not attempt to interpret an IPv6 address as a domain name. Avoids a case where a maliciously-crafted redirect to an IPv6 address with a scoped addressing zone could be misinterpreted as a within-domain redirect. For example, we could interpret "::1%.www.example.com" as a subdomain of "www.example.com". Thanks to Juho Nurminen of Mattermost for reporting this issue. Fixes CVE-2023-45289 Fixes golang#65859 For golang#65065 Change-Id: I8f463f59f0e700c8a18733d2b264a8bcb3a19599 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2131938 Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Reviewed-by: Roland Shoemaker <bracewell@google.com> Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2174344 Reviewed-by: Carlos Amedee <amedee@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/569236 Reviewed-by: Carlos Amedee <carlos@golang.org> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Auto-Submit: Michael Knyszek <mknyszek@google.com>

neild added Security release-blocker labels Jan 11, 2024

neild self-assigned this Jan 11, 2024

neild added this to the Go1.22 milestone Jan 11, 2024

This was referenced Jan 30, 2024

security: fix CVE-2023-45289 [1.20 backport] #65384

Closed

security: fix CVE-2023-45289 [1.21 backport] #65385

Closed

mknyszek modified the milestones: Go1.22, Go1.23 Feb 2, 2024

neild mentioned this issue Feb 21, 2024

security: fix CVE-2023-45289 [1.22 backport] #65859

Closed

mknyszek changed the title ~~security: fix CVE-2023-45289~~ net/http, net/http/cookiejar: incorrect forwarding of sensitive headers and cookies on HTTP redirect [CVE-2023-45289] Mar 5, 2024

gopherbot closed this as completed in 821bf37 Mar 5, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

net/http, net/http/cookiejar: incorrect forwarding of sensitive headers and cookies on HTTP redirect [CVE-2023-45289] #65065

net/http, net/http/cookiejar: incorrect forwarding of sensitive headers and cookies on HTTP redirect [CVE-2023-45289] #65065

neild commented Jan 11, 2024 •

edited by mknyszek

neild commented Jan 30, 2024

gopherbot commented Jan 30, 2024

gopherbot commented Mar 5, 2024

gopherbot commented Mar 5, 2024

gopherbot commented Mar 5, 2024

net/http, net/http/cookiejar: incorrect forwarding of sensitive headers and cookies on HTTP redirect [CVE-2023-45289] #65065

net/http, net/http/cookiejar: incorrect forwarding of sensitive headers and cookies on HTTP redirect [CVE-2023-45289] #65065

Comments

neild commented Jan 11, 2024 • edited by mknyszek

neild commented Jan 30, 2024

gopherbot commented Jan 30, 2024

gopherbot commented Mar 5, 2024

gopherbot commented Mar 5, 2024

gopherbot commented Mar 5, 2024

neild commented Jan 11, 2024 •

edited by mknyszek