Описание
When using http.CrossOriginProtection, the AddInsecureBypassPattern method can unexpectedly bypass more requests than intended. CrossOriginProtection then skips validation, but forwards the original request path, which may be served by a different handler without the intended security protections.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| golang-1.25 | fixed | 1.25.1-1 | package | |
| golang-1.24 | not-affected | package | ||
| golang-1.23 | not-affected | package | ||
| golang-1.19 | not-affected | package | ||
| golang-1.15 | not-affected | package |
Примечания
https://groups.google.com/g/golang-announce/c/PtW9VW21NPs/m/DJhMQ-m5AQAJ
https://go-review.googlesource.com/c/go/+/699275
https://github.com/golang/go/issues/75054
Introduced after: https://github.com/golang/go/commit/1881d680b0b573c32d3002c37902760668ffec0f (go1.25rc1)
Fixed by: https://github.com/golang/go/commit/b1959cf6f7673eaffa89bbdb00e68b30cde3aa8a (go1.25.1)
Связанные уязвимости
When using http.CrossOriginProtection, the AddInsecureBypassPattern method can unexpectedly bypass more requests than intended. CrossOriginProtection then skips validation, but forwards the original request path, which may be served by a different handler without the intended security protections.
When using http.CrossOriginProtection, the AddInsecureBypassPattern method can unexpectedly bypass more requests than intended. CrossOriginProtection then skips validation, but forwards the original request path, which may be served by a different handler without the intended security protections.
