Google Git
Sign in
go / net / cde1dda944dcf6350753df966bb5bda87a544842
commitcde1dda944dcf6350753df966bb5bda87a544842[log] [tgz]
authorDamien Neil <dneil@google.com>Tue Jan 21 16:36:50 2025 -0800
committerGopher Robot <gobot@golang.org>Tue Mar 04 11:00:06 2025 -0800
tree7f963f0d083f8ba5437114cf0cab172b9d217ead
parentfe7f0391aa994a401c82d829183c1efab7a64df4 [diff]
proxy, http/httpproxy: do not mismatch IPv6 zone ids against hosts

When matching against a host "example.com",
don't match an IPv6 address like "[1000::1%25.example.com]:80".

Thanks to Juho Forsén of Mattermost for reporting this issue.

Fixes CVE-2025-22870
For #71984

Change-Id: I0c4fdf18765decc27e6ddf220ebe3a9bf4a6454d
Reviewed-on: https://go-review.googlesource.com/c/net/+/654697
Auto-Submit: Roland Shoemaker <roland@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Commit-Queue: Roland Shoemaker <roland@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
4 files changed
tree: 7f963f0d083f8ba5437114cf0cab172b9d217ead
  1. bpf/
  2. context/
  3. dict/
  4. dns/
  5. html/
  6. http/
  7. http2/
  8. icmp/
  9. idna/
  10. internal/
  11. ipv4/
  12. ipv6/
  13. lif/
  14. nettest/
  15. netutil/
  16. proxy/
  17. publicsuffix/
  18. quic/
  19. route/
  20. trace/
  21. webdav/
  22. websocket/
  23. xsrftoken/
  24. .gitattributes
  25. .gitignore
  26. codereview.cfg
  27. CONTRIBUTING.md
  28. go.mod
  29. go.sum
  30. LICENSE
  31. PATENTS
  32. README.md
README.md

Go Networking

Go Reference

This repository holds supplementary Go networking packages.

Report Issues / Send Patches

This repository uses Gerrit for code changes. To learn how to submit changes to this repository, see https://go.dev/doc/contribute.

The git repository is https://go.googlesource.com/net.

The main issue tracker for the net repository is located at https://go.dev/issues. Prefix your issue with “x/net:” in the subject line, so it is easy to find.