diff options
| author | Damien Neil <dneil@google.com> | 2026-03-26 15:13:56 -0400 |
|---|---|---|
| committer | Gopher Robot <gobot@golang.org> | 2026-03-26 13:49:23 -0700 |
| commit | 917949cc1d16c652cb09ba369718f45e5d814d8f (patch) | |
| tree | af4271b7362b40e46b0808ed89ca9371f2bcefbd | |
| parent | 7b4ed1d7d91316b2b52ca61c891d75840febd3f2 (diff) | |
| download | go-917949cc1d16c652cb09ba369718f45e5d814d8f.tar.xz | |
[release-branch.go1.26] net/url: permit colons in the host subcomponent of non-http/https URLs
Too many systems seem to rely on net/url accepting invalid URLs with
colons in the host subcomponent. Rather than adding exceptions for
each (PostgreSQL, MongoDB, Redis, etc.), limit the strict validation
to http/https only.
This backport CL also includes test-only changes from CL 751360.
For #78077
Fixes #78111
Change-Id: I851c82eb3505297013269d71dc626a4c1c202c82
Reviewed-on: https://go-review.googlesource.com/c/go/+/758900
Reviewed-by: Roland Shoemaker <roland@golang.org>
Auto-Submit: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/759662
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
| -rw-r--r-- | src/net/url/url.go | 28 | ||||
| -rw-r--r-- | src/net/url/url_test.go | 21 |
2 files changed, 37 insertions, 12 deletions
diff --git a/src/net/url/url.go b/src/net/url/url.go index 3e612c5261..ead6fae3dd 100644 --- a/src/net/url/url.go +++ b/src/net/url/url.go @@ -606,18 +606,22 @@ func parseHost(scheme, host string) (string, error) { } else if i := strings.Index(host, ":"); i != -1 { lastColon := strings.LastIndex(host, ":") if lastColon != i { - if scheme == "postgresql" || scheme == "postgres" { - // PostgreSQL relies on non-RFC-3986 parsing to accept - // a comma-separated list of hosts (with optional ports) - // in the host subcomponent: - // https://www.postgresql.org/docs/11/libpq-connect.html#LIBPQ-MULTIPLE-HOSTS - // - // Since we historically permitted colons to appear in the host, - // continue to permit it for postgres:// URLs only. - // https://go.dev/issue/75223 - i = lastColon - } else if urlstrictcolons.Value() == "0" { - urlstrictcolons.IncNonDefault() + // RFC 3986 does not allow colons to appear in the host subcomponent. + // + // However, a number of databases including PostgreSQL and MongoDB + // permit a comma-separated list of hosts (with optional ports) in the + // host subcomponent. + // + // Since we historically permitted colons to appear in the host, + // enforce strict colons only for http and https URLs. + // + // See https://go.dev/issue/75223 and https://go.dev/issue/78077. + if scheme == "http" || scheme == "https" { + if urlstrictcolons.Value() == "0" { + urlstrictcolons.IncNonDefault() + i = lastColon + } + } else { i = lastColon } } diff --git a/src/net/url/url_test.go b/src/net/url/url_test.go index f0f3f97800..7bf008cf15 100644 --- a/src/net/url/url_test.go +++ b/src/net/url/url_test.go @@ -626,6 +626,27 @@ var urltests = []URLTest{ }, "postgresql://host1:1,host2:2,host3:3", }, + // Mongodb URLs can include a comma-separated list of host:post hosts. + { + "mongodb://user:password@host1:1,host2:2,host3:3", + &URL{ + Scheme: "mongodb", + User: UserPassword("user", "password"), + Host: "host1:1,host2:2,host3:3", + Path: "", + }, + "", + }, + { + "mongodb+srv://user:password@host1:1,host2:2,host3:3", + &URL{ + Scheme: "mongodb+srv", + User: UserPassword("user", "password"), + Host: "host1:1,host2:2,host3:3", + Path: "", + }, + "", + }, } // more useful string for debugging than fmt's struct printer |