net/url, net/http: reject control characters in URLs

This is a more conservative version of the reverted CL 99135 (which was reverted in CL 137716) The net/url part rejects URLs with ASCII CTLs from being parsed and the net/http part rejects writing them if a bogus url.URL is constructed otherwise. Updates #27302 Updates #22907 Change-Id: I09a2212eb74c63db575223277aec363c55421ed8 Reviewed-on: https://go-review.googlesource.com/c/159157 Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Filippo Valsorda <filippo@golang.org>
author: Brad Fitzpatrick <bradfitz@golang.org> 2019-01-23 19:09:07 +0000
committer: Brad Fitzpatrick <bradfitz@golang.org> 2019-01-23 19:31:46 +0000
commit: 829c5df58694b3345cb5ea41206783c8ccf5c3ca (patch)
tree: d00f25105998b1febceffce61fe9db56485b8963 /src/net/http/http.go
parent: 4edea0f0a77b341ec565d848e453c4a854418e8c (diff)
download: go-829c5df58694b3345cb5ea41206783c8ccf5c3ca.tar.xz
1 files changed, 6 insertions, 0 deletions
diff --git a/src/net/http/http.go b/src/net/http/http.go
index 624b2cfe69..5c03c16c87 100644
--- a/src/net/http/http.go
+++ b/src/net/http/http.go
@@ -59,6 +59,12 @@ func isASCII(s string) bool {
 	return true
 }
 
+// isCTL reports whether r is an ASCII control character, including
+// the Extended ASCII control characters included in Unicode.
+func isCTL(r rune) bool {
+	return r < ' ' || 0x7f <= r && r <= 0x9f
+}
+
 func hexEscapeNonASCII(s string) string {
 	newLen := 0
 	for i := 0; i < len(s); i++ {
author	Brad Fitzpatrick <bradfitz@golang.org>	2019-01-23 19:09:07 +0000
committer	Brad Fitzpatrick <bradfitz@golang.org>	2019-01-23 19:31:46 +0000
commit	829c5df58694b3345cb5ea41206783c8ccf5c3ca (patch)
tree	d00f25105998b1febceffce61fe9db56485b8963 /src/net/http/http.go
parent	4edea0f0a77b341ec565d848e453c4a854418e8c (diff)
download	go-829c5df58694b3345cb5ea41206783c8ccf5c3ca.tar.xz