net/http: sanitize User-Agent header in request writer

Apply the same transformations to the User-Agent header value that we do to other headers. Avoids header and request smuggling in Request.Write and Request.WriteProxy. RoundTrip already validates values in Request.Header, and didn't allow bad User-Agent values to make it as far as the request writer. Fixes #61824 Change-Id: I360a915c7e08d014e0532bd5af196a5b59c89395 Reviewed-on: https://go-review.googlesource.com/c/go/+/516836 Reviewed-by: Jonathan Amsterdam <jba@google.com> Run-TryBot: Damien Neil <dneil@google.com> TryBot-Result: Gopher Robot <gobot@golang.org>
author: Damien Neil <dneil@google.com> 2023-08-07 15:57:54 -0700
committer: Damien Neil <dneil@google.com> 2023-08-08 23:10:58 +0000
commit: 2d5ce9b729c0edded841301bd73d68d5e95aa28b (patch)
tree: 11d113ee1e8e538124cdea6b2953c8eff3bf5e12 /src/net/http/request.go
parent: 6e43407931ee4acc204620a9fae59c7903164901 (diff)
download: go-2d5ce9b729c0edded841301bd73d68d5e95aa28b.tar.xz
1 files changed, 2 insertions, 0 deletions
diff --git a/src/net/http/request.go b/src/net/http/request.go
index d1fbd5df90..0fb73c12b5 100644
--- a/src/net/http/request.go
+++ b/src/net/http/request.go
@@ -669,6 +669,8 @@ func (r *Request) write(w io.Writer, usingProxy bool, extraHeaders Header, waitF
 		userAgent = r.Header.Get("User-Agent")
 	}
 	if userAgent != "" {
+		userAgent = headerNewlineToSpace.Replace(userAgent)
+		userAgent = textproto.TrimString(userAgent)
 		_, err = fmt.Fprintf(w, "User-Agent: %s\r\n", userAgent)
 		if err != nil {
 			return err
author	Damien Neil <dneil@google.com>	2023-08-07 15:57:54 -0700
committer	Damien Neil <dneil@google.com>	2023-08-08 23:10:58 +0000
commit	2d5ce9b729c0edded841301bd73d68d5e95aa28b (patch)
tree	11d113ee1e8e538124cdea6b2953c8eff3bf5e12 /src/net/http/request.go
parent	6e43407931ee4acc204620a9fae59c7903164901 (diff)
download	go-2d5ce9b729c0edded841301bd73d68d5e95aa28b.tar.xz