From 334de7982f8ec959c74470dd709ceedfd6dbd50a Mon Sep 17 00:00:00 2001
From: Damien Neil <dneil@google.com>
Date: Wed, 26 Feb 2025 16:46:43 -0800
Subject: [PATCH] [release-branch.go1.24] all: updated vendored x/net with security fix

6ed00d0 [internal-branch.go1.24-vendor] proxy, http/httpproxy: do not mismatch IPv6 zone ids against hosts

Fixes CVE-2025-22870
For #71986

Change-Id: I7bda0825f1a9470b0708714d9cc32b5eae212f8b
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2121
Reviewed-by: Neal Patel <nealpatel@google.com>
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Commit-Queue: Roland Shoemaker <bracewell@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/654715
Reviewed-by: Michael Pratt <mpratt@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Junyang Shao <shaojunyang@google.com>
Reviewed-by: Damien Neil <dneil@google.com>

Conflict:NA
Reference:https://go-review.googlesource.com/c/go/+/654715

Note:In the modification of the original CVE, the net/netip package was used. However, this package is not available in current version.Therefore, the parseIPZone function in the net package is used instead for the fix.
Edited-by: wujichao wujichao1@hauwei.com
---
 .../golang.org/x/net/http/httpproxy/proxy.go      | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/src/vendor/golang.org/x/net/http/httpproxy/proxy.go b/src/vendor/golang.org/x/net/http/httpproxy/proxy.go
index 1415b07..148c62f 100644
--- a/src/vendor/golang.org/x/net/http/httpproxy/proxy.go
+++ b/src/vendor/golang.org/x/net/http/httpproxy/proxy.go
@@ -18,6 +18,7 @@ import (
 	"os"
 	"strings"
 	"unicode/utf8"
+	_ "unsafe"
 
 	"golang.org/x/net/idna"
 )
@@ -181,11 +182,9 @@ func (cfg *config) useProxy(addr string) bool {
 	if host == "localhost" {
 		return false
 	}
-	ip := net.ParseIP(host)
-	if ip != nil {
-		if ip.IsLoopback() {
-			return false
-		}
+	ip, _ := parseIPZone(host)
+	if ip != nil && ip.IsLoopback() {
+		return false
 	}
 
 	addr = strings.ToLower(strings.TrimSpace(host))
@@ -205,6 +204,9 @@ func (cfg *config) useProxy(addr string) bool {
 	return true
 }
 
+//go:linkname parseIPZone net.parseIPZone
+func parseIPZone(s string) (net.IP, string)
+
 func (c *config) init() {
 	if parsed, err := parseProxy(c.HTTPProxy); err == nil {
 		c.httpProxy = parsed
@@ -361,6 +363,9 @@ type domainMatch struct {
 }
 
 func (m domainMatch) match(host, port string, ip net.IP) bool {
+	if ip != nil {
+		return false
+	}
 	if strings.HasSuffix(host, m.host) || (m.matchHost && host == m.host[1:]) {
 		return m.port == "" || m.port == port
 	}
-- 
2.33.0