58 lines
1.6 KiB
Diff
58 lines
1.6 KiB
Diff
From cde1dda944dcf6350753df966bb5bda87a544842 Mon Sep 17 00:00:00 2001
|
|
From: Damien Neil <dneil@google.com>
|
|
Date: Tue, 21 Jan 2025 16:36:50 -0800
|
|
Subject: [PATCH] proxy, http/httpproxy: do not mismatch IPv6 zone ids against hosts
|
|
|
|
When matching against a host "example.com",
|
|
don't match an IPv6 address like "[1000::1%25.example.com]:80".
|
|
|
|
Thanks to Juho Forsén of Mattermost for reporting this issue.
|
|
|
|
Fixes CVE-2025-22870
|
|
For #71984
|
|
|
|
Change-Id: I0c4fdf18765decc27e6ddf220ebe3a9bf4a6454d
|
|
Reviewed-on: https://go-review.googlesource.com/c/net/+/654697
|
|
Auto-Submit: Roland Shoemaker <roland@golang.org>
|
|
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
|
|
Commit-Queue: Roland Shoemaker <roland@golang.org>
|
|
Reviewed-by: Roland Shoemaker <roland@golang.org>
|
|
Reviewed-by: Damien Neil <dneil@google.com>
|
|
---
|
|
|
|
diff --git a/http/httpproxy/proxy.go b/http/httpproxy/proxy.go
|
|
index 6404aaf..d89c257 100644
|
|
--- a/vendor/golang.org/x/net/http/httpproxy/proxy.go
|
|
+++ b/vendor/golang.org/x/net/http/httpproxy/proxy.go
|
|
@@ -14,6 +14,7 @@
|
|
"errors"
|
|
"fmt"
|
|
"net"
|
|
+ "net/netip"
|
|
"net/url"
|
|
"os"
|
|
"strings"
|
|
@@ -177,8 +178,10 @@
|
|
if host == "localhost" {
|
|
return false
|
|
}
|
|
- ip := net.ParseIP(host)
|
|
- if ip != nil {
|
|
+ nip, err := netip.ParseAddr(host)
|
|
+ var ip net.IP
|
|
+ if err == nil {
|
|
+ ip = net.IP(nip.AsSlice())
|
|
if ip.IsLoopback() {
|
|
return false
|
|
}
|
|
@@ -360,6 +363,9 @@
|
|
}
|
|
|
|
func (m domainMatch) match(host, port string, ip net.IP) bool {
|
|
+ if ip != nil {
|
|
+ return false
|
|
+ }
|
|
if strings.HasSuffix(host, m.host) || (m.matchHost && host == m.host[1:]) {
|
|
return m.port == "" || m.port == port
|
|
}
|