diff options
| author | Ethan Lee <ethanalee@google.com> | 2025-08-29 17:35:55 +0000 |
|---|---|---|
| committer | Gopher Robot <gobot@golang.org> | 2025-10-07 12:46:24 -0700 |
| commit | f6f4e8b3ef21299db1ea3a343c3e55e91365a7fd (patch) | |
| tree | ef5b001cb37268cebe41f09b65c45b46e9e301b1 /src/encoding | |
| parent | 7dd54e1fd7f3a25fccbb5c6ab7066e2baad23e66 (diff) | |
| download | go-f6f4e8b3ef21299db1ea3a343c3e55e91365a7fd.tar.xz | |
net/url: enforce stricter parsing of bracketed IPv6 hostnames
- Previously, url.Parse did not enforce validation of hostnames within
square brackets.
- RFC 3986 stipulates that only IPv6 hostnames can be embedded within
square brackets in a URL.
- Now, the parsing logic should strictly enforce that only IPv6
hostnames can be resolved when in square brackets. IPv4, IPv4-mapped
addresses and other input will be rejected.
- Update url_test to add test cases that cover the above scenarios.
Thanks to Enze Wang, Jingcheng Yang and Zehui Miao of Tsinghua
University for reporting this issue.
Fixes CVE-2025-47912
Fixes #75678
Change-Id: Iaa41432bf0ee86de95a39a03adae5729e4deb46c
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2680
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/709857
TryBot-Bypass: Michael Pratt <mpratt@google.com>
Reviewed-by: Carlos Amedee <carlos@golang.org>
Auto-Submit: Michael Pratt <mpratt@google.com>
Diffstat (limited to 'src/encoding')
0 files changed, 0 insertions, 0 deletions