Change information
Commit message:
net/http/httputil: don't forward Upgrade: h2c headers
Somewhat surprisingly, ReverseProxy will forward "Upgrade: h2c" headers
which attempt to switch an HTTP/1 connection to an unencrypted HTTP/2 one.
If the backend supports this deprecated protocol switch mechanism,
this lets a client send HTTP requests that bypass the ReverseProxy's
handlers. This is surprising at best, a security issue at worst.
Refuse to forward "Upgrade: h2c" headers.
In the unlikely event anyone actually wants this behavior,
they can use a Rewrite function to add the Upgrade: h2c
to the forwarded request.
Fixes #80416
Change-Id: I3a7d80fadf2eccbcce97f423556f8bf26a6a6964
Files:
- M src/net/http/httputil/reverseproxy.go
- M src/net/http/httputil/reverseproxy_test.go
Change size: M
Delta: 2 files changed, 51 insertions(+), 1 deletion(-)
Branch: refs/heads/master