net/url, net/http: relax CTL-in-URL validation to only ASCII CTLs

CL 159157 was doing UTF-8 decoding of URLs. URLs aren't really UTF-8, even if sometimes they are in some contexts. Instead, only reject ASCII CTLs. Updates #27302 Updates #22907 Change-Id: Ibd64efa5d3a93263d175aadf1c9f87deb4670c62 Reviewed-on: https://go-review.googlesource.com/c/160178 Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Ian Lance Taylor <iant@golang.org>
author: Brad Fitzpatrick <bradfitz@golang.org> 2019-01-29 17:22:36 +0000
committer: Brad Fitzpatrick <bradfitz@golang.org> 2019-01-29 20:42:54 +0000
commit: f1d662f34788f4a5f087581d0951cdf4e0f6e708 (patch)
tree: c623103182af8161447152d11c1c94f5cb41532c /src/net/http/http.go
parent: d34c0dbc17e61e9e7a15355e75b9578d7d024f52 (diff)
download: go-f1d662f34788f4a5f087581d0951cdf4e0f6e708.tar.xz
1 files changed, 9 insertions, 4 deletions
diff --git a/src/net/http/http.go b/src/net/http/http.go
index 5c03c16c87..e5d59e1412 100644
--- a/src/net/http/http.go
+++ b/src/net/http/http.go
@@ -59,10 +59,15 @@ func isASCII(s string) bool {
 	return true
 }
 
-// isCTL reports whether r is an ASCII control character, including
-// the Extended ASCII control characters included in Unicode.
-func isCTL(r rune) bool {
-	return r < ' ' || 0x7f <= r && r <= 0x9f
+// stringContainsCTLByte reports whether s contains any ASCII control character.
+func stringContainsCTLByte(s string) bool {
+	for i := 0; i < len(s); i++ {
+		b := s[i]
+		if b < ' ' || b == 0x7f {
+			return true
+		}
+	}
+	return false
 }
 
 func hexEscapeNonASCII(s string) string {
author	Brad Fitzpatrick <bradfitz@golang.org>	2019-01-29 17:22:36 +0000
committer	Brad Fitzpatrick <bradfitz@golang.org>	2019-01-29 20:42:54 +0000
commit	f1d662f34788f4a5f087581d0951cdf4e0f6e708 (patch)
tree	c623103182af8161447152d11c1c94f5cb41532c /src/net/http/http.go
parent	d34c0dbc17e61e9e7a15355e75b9578d7d024f52 (diff)
download	go-f1d662f34788f4a5f087581d0951cdf4e0f6e708.tar.xz