net/http, net/http/cookiejar: incorrect forwarding of sensitive headers and cookies on HTTP redirect [CVE-2023-45289]

[neild]

When following an HTTP redirect to a domain which is not a subdomain match or exact match of the initial domain, an http.Client does not forward sensitive headers such as "Authorization" or "Cookie". For example, a redirect from foo.com to www.foo.com will forward the Authorization header, but a redirect to bar.com will not.

A maliciously crafted HTTP redirect could cause sensitive headers to be unexpectedly forwarded.

Thanks to Juho Nurminen of Mattermost for reporting this issue. This is CVE-2023-45289.

/cc @golang/security and @golang/release

[neild]

@gopherbot please open backport issues for this security fix.

[gopherbot]

Backport issue(s) opened: #65384 (for 1.20), #65385 (for 1.21).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

[gopherbot]

Change https://go.dev/cl/569236 mentions this issue: [release-branch.go1.22] net/http, net/http/cookiejar: avoid subdomain matches on IPv6 zones

[gopherbot]

Change https://go.dev/cl/569239 mentions this issue: [release-branch.go1.21] net/http, net/http/cookiejar: avoid subdomain matches on IPv6 zones