From 75701695d8a938d4958c12febdf37d96afcd6092 Mon Sep 17 00:00:00 2001
From: Emil Tullstedt <emil.tullstedt@grafana.com>
Date: Tue, 8 Nov 2022 16:58:04 +0100
Subject: [PATCH] pkg/web: avoid shared middleware slice (#58458)

---
 pkg/web/macaron.go | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/pkg/web/macaron.go b/pkg/web/macaron.go
index 5a0567ff632..774f4d2d499 100644
--- a/pkg/web/macaron.go
+++ b/pkg/web/macaron.go
@@ -144,8 +144,14 @@ func mwFromHandler(handler Handler) Middleware {
 }
 
 func (m *Macaron) createContext(rw http.ResponseWriter, req *http.Request) *Context {
+	// NOTE: we have to explicitly copy the middleware chain here to avoid
+	// passing a shared slice to the *Context, which leads to racy behavior in
+	// case of later appends
+	mws := make([]Middleware, len(m.mws))
+	copy(mws, m.mws)
+
 	c := &Context{
-		mws:  m.mws,
+		mws:  mws,
 		Resp: NewResponseWriter(req.Method, rw),
 	}