)]}'
{
  "commit": "cad4e97af8f2e0b9f09b97f67fb3a89ced2e9021",
  "tree": "fb24b2f2ebc41e265ea34f318d6dfe6fcd525651",
  "parents": [
    "53da5fd4d431881bb3583c9790db7735a6530a1b"
  ],
  "author": {
    "name": "Brad Fitzpatrick",
    "email": "bradfitz@golang.org",
    "time": "Mon Jul 18 06:05:24 2016 +0000"
  },
  "committer": {
    "name": "Chris Broadfoot",
    "email": "cbro@golang.org",
    "time": "Mon Jul 18 15:13:06 2016 +0000"
  },
  "message": "[release-branch.go1.7] net/http, net/http/cgi: fix for CGI + HTTP_PROXY security issue\n\nBecause,\n\n* The CGI spec defines that incoming request header \"Foo: Bar\" maps to\n  environment variable HTTP_FOO \u003d\u003d \"Bar\". (see RFC 3875 4.1.18)\n\n* The HTTP_PROXY environment variable is conventionally used to configure\n  the HTTP proxy for HTTP clients (and is respected by default for\n  Go\u0027s net/http.Client and Transport)\n\nThat means Go programs running in a CGI environment (as a child\nprocess under a CGI host) are vulnerable to an incoming request\ncontaining \"Proxy: attacker.com:1234\", setting HTTP_PROXY, and\nchanging where Go by default proxies all outbound HTTP requests.\n\nThis is CVE-2016-5386, aka https://httpoxy.org/\n\nFixes #16405\n\nChange-Id: I6f68ade85421b4807785799f6d98a8b077e871f0\nReviewed-on: https://go-review.googlesource.com/25010\nRun-TryBot: Chris Broadfoot \u003ccbro@golang.org\u003e\nTryBot-Result: Gobot Gobot \u003cgobot@golang.org\u003e\nReviewed-by: Chris Broadfoot \u003ccbro@golang.org\u003e\nReviewed-on: https://go-review.googlesource.com/25013\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "2eea64334b63c14328d2db658dd21aae4fe76dcc",
      "old_mode": 33188,
      "old_path": "src/net/http/cgi/host.go",
      "new_id": "58e9f7132a86cbffdf569b196a0ae38049f9e045",
      "new_mode": 33188,
      "new_path": "src/net/http/cgi/host.go"
    },
    {
      "type": "modify",
      "old_id": "70c5aff5e29932912461edf0101552c481d8577f",
      "old_mode": 33188,
      "old_path": "src/net/http/cgi/host_test.go",
      "new_id": "11213349a71b1be9a672e8be48a55812290258e9",
      "new_mode": 33188,
      "new_path": "src/net/http/cgi/host_test.go"
    },
    {
      "type": "modify",
      "old_id": "f7904b4a892b6f5e4b7561b662528c8f960adf19",
      "old_mode": 33188,
      "old_path": "src/net/http/transport.go",
      "new_id": "eb54703c8fb9434c00b745d0888ff9f369524904",
      "new_mode": 33188,
      "new_path": "src/net/http/transport.go"
    },
    {
      "type": "modify",
      "old_id": "d653a5a7fc1e4bbf4b98b7cace9ac998e72c69de",
      "old_mode": 33188,
      "old_path": "src/net/http/transport_test.go",
      "new_id": "72b98f16d7eaa0ca9b726034c807e5fd0daa598a",
      "new_mode": 33188,
      "new_path": "src/net/http/transport_test.go"
    }
  ]
}