net/http: fix authentication info leakage in Referer header (potential security risk)

http.Client calls URL.String() to fill in the Referer header, which may contain authentication info. This patch removes authentication info from the Referer header without introducing any API changes. A new test for net/http is also provided. This is the polished version of Alberto García Hierro's https://golang.org/cl/9766046/ It should handle https Referer right. Fixes #8417 LGTM=bradfitz R=golang-codereviews, gobot, bradfitz, mikioh.mikioh CC=golang-codereviews https://golang.org/cl/151430043
author: Jens Frederich <jfrederich@gmail.com> 2014-10-07 07:13:42 -0700
committer: Brad Fitzpatrick <bradfitz@golang.org> 2014-10-07 07:13:42 -0700
commit: f739b7750853f2d620c78eca9fc14c32e48a14d5 (patch)
tree: b81e18af51ed61694bc4c6edf0d3864a79c848ff /src/net/http/export_test.go
parent: 6e8f7b4f3e98deb90c8e2bc183b514c6780cb3a9 (diff)
download: go-f739b7750853f2d620c78eca9fc14c32e48a14d5.tar.xz
1 files changed, 5 insertions, 0 deletions
diff --git a/src/net/http/export_test.go b/src/net/http/export_test.go
index a6980b5389..87b6c0773a 100644
--- a/src/net/http/export_test.go
+++ b/src/net/http/export_test.go
@@ -9,6 +9,7 @@ package http
 
 import (
 	"net"
+	"net/url"
 	"time"
 )
 
@@ -92,6 +93,10 @@ func ResetCachedEnvironment() {
 
 var DefaultUserAgent = defaultUserAgent
 
+func ExportRefererForURL(lastReq, newReq *url.URL) string {
+	return refererForURL(lastReq, newReq)
+}
+
 // SetPendingDialHooks sets the hooks that run before and after handling
 // pending dials.
 func SetPendingDialHooks(before, after func()) {
author	Jens Frederich <jfrederich@gmail.com>	2014-10-07 07:13:42 -0700
committer	Brad Fitzpatrick <bradfitz@golang.org>	2014-10-07 07:13:42 -0700
commit	f739b7750853f2d620c78eca9fc14c32e48a14d5 (patch)
tree	b81e18af51ed61694bc4c6edf0d3864a79c848ff /src/net/http/export_test.go
parent	6e8f7b4f3e98deb90c8e2bc183b514c6780cb3a9 (diff)
download	go-f739b7750853f2d620c78eca9fc14c32e48a14d5.tar.xz