net/http: preserve nil values in Header.Clone ReverseProxy makes a distinction between nil and zero-length header values. Avoid losing nil-ness when cloning a request. Thanks to Christian Mehlmauer for discovering this. Fixes #53423 Fixes CVE-2022-32148 Change-Id: Ice369cdb4712e2d62e25bb881b080847aa4801f5 Reviewed-on: https://go-review.googlesource.com/c/go/+/412857 Reviewed-by: Ian Lance Taylor <iant@google.com> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>

commit: b2cc0fecc2ccd80e6d5d16542cc684f97b3a9c8a [log] [tgz]
author: Damien Neil <dneil@google.com> Fri Jun 17 10:09:45 2022 -0700
committer: Damien Neil <dneil@google.com> Wed Jun 29 22:28:30 2022 +0000
tree: 1bdaa3092fe0ed673cace25dcf1ddd74f423c24c
parent: 64ef16e77795957d47e3889bca9483d6f3099bbf [diff]
diff --git a/src/net/http/header.go b/src/net/http/header.go
index 6487e50..6437f2d 100644
--- a/src/net/http/header.go
+++ b/src/net/http/header.go

@@ -103,6 +103,12 @@
 	sv := make([]string, nv) // shared backing array for headers' values
 	h2 := make(Header, len(h))
 	for k, vv := range h {
+		if vv == nil {
+			// Preserve nil values. ReverseProxy distinguishes
+			// between nil and zero-length header values.
+			h2[k] = nil
+			continue
+		}
 		n := copy(sv, vv)
 		h2[k] = sv[:n:n]
 		sv = sv[n:]

diff --git a/src/net/http/header_test.go b/src/net/http/header_test.go
index 57d16f5..0b13d31 100644
--- a/src/net/http/header_test.go
+++ b/src/net/http/header_test.go

@@ -248,6 +248,11 @@
 			in:   Header{"foo": {"bar"}},
 			want: Header{"foo": {"bar"}},
 		},
+		{
+			name: "nil value",
+			in:   Header{"foo": nil},
+			want: Header{"foo": nil},
+		},
 	}
 
 	for _, tt := range tests {
commit	b2cc0fecc2ccd80e6d5d16542cc684f97b3a9c8a	[log] [tgz]
author	Damien Neil <dneil@google.com>	Fri Jun 17 10:09:45 2022 -0700
committer	Damien Neil <dneil@google.com>	Wed Jun 29 22:28:30 2022 +0000
tree	1bdaa3092fe0ed673cace25dcf1ddd74f423c24c
parent	64ef16e77795957d47e3889bca9483d6f3099bbf [diff]