diff options
| author | Sean Liao <sean@liao.dev> | 2025-10-09 01:56:09 +0100 |
|---|---|---|
| committer | Damien Neil <dneil@google.com> | 2025-10-10 14:47:41 -0700 |
| commit | e3be2d1b2b68d960398a343805f77052d5decb22 (patch) | |
| tree | 0086d366467165a4ccc61e11b9988255026b090f /src/net | |
| parent | aced4c79a2b2c60e464410cec1e5378d1011fa18 (diff) | |
| download | go-e3be2d1b2b68d960398a343805f77052d5decb22.tar.xz | |
net/url: disallow raw IPv6 addresses in host
RFC 3986 requires square brackets around IPv6 addresses.
Parse's acceptance of raw IPv6 addresses is non compliant,
and complicates splitting out a port.
Fixes #31024
Fixes #75223
Change-Id: I477dc420a7441cb33156627dbd5e46d88c677f1e
Reviewed-on: https://go-review.googlesource.com/c/go/+/710176
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Michael Pratt <mpratt@google.com>
Diffstat (limited to 'src/net')
| -rw-r--r-- | src/net/url/url.go | 4 | ||||
| -rw-r--r-- | src/net/url/url_test.go | 23 |
2 files changed, 6 insertions, 21 deletions
diff --git a/src/net/url/url.go b/src/net/url/url.go index 6afa30f162..a697548801 100644 --- a/src/net/url/url.go +++ b/src/net/url/url.go @@ -698,7 +698,9 @@ func parseHost(host string) (string, error) { return "", errors.New("invalid IP-literal") } return "[" + unescapedHostname + "]" + unescapedColonPort, nil - } else if i := strings.LastIndex(host, ":"); i != -1 { + } else if i := strings.Index(host, ":"); i != -1 { + // IPv4address / reg-name + // E.g. 1.2.3.4, 1.2.3.4:80, example.com, example.com:80 colonPort := host[i:] if !validOptionalPort(colonPort) { return "", fmt.Errorf("invalid port %q after host", colonPort) diff --git a/src/net/url/url_test.go b/src/net/url/url_test.go index 6084facacc..a7543d6fd4 100644 --- a/src/net/url/url_test.go +++ b/src/net/url/url_test.go @@ -507,26 +507,6 @@ var urltests = []URLTest{ "", }, { - // Malformed IPv6 but still accepted. - "http://2b01:e34:ef40:7730:8e70:5aff:fefe:edac:8080/foo", - &URL{ - Scheme: "http", - Host: "2b01:e34:ef40:7730:8e70:5aff:fefe:edac:8080", - Path: "/foo", - }, - "", - }, - { - // Malformed IPv6 but still accepted. - "http://2b01:e34:ef40:7730:8e70:5aff:fefe:edac:/foo", - &URL{ - Scheme: "http", - Host: "2b01:e34:ef40:7730:8e70:5aff:fefe:edac:", - Path: "/foo", - }, - "", - }, - { "http://[2b01:e34:ef40:7730:8e70:5aff:fefe:edac]:8080/foo", &URL{ Scheme: "http", @@ -735,6 +715,9 @@ var parseRequestURLTests = []struct { {"https://[0:0::test.com]:80", false}, {"https://[2001:db8::test.com]", false}, {"https://[test.com]", false}, + {"https://1:2:3:4:5:6:7:8", false}, + {"https://1:2:3:4:5:6:7:8:80", false}, + {"https://example.com:80:", false}, } func TestParseRequestURI(t *testing.T) { |