aboutsummaryrefslogtreecommitdiff
path: root/src/net/http/request.go
diff options
context:
space:
mode:
Diffstat (limited to 'src/net/http/request.go')
-rw-r--r--src/net/http/request.go7
1 files changed, 6 insertions, 1 deletions
diff --git a/src/net/http/request.go b/src/net/http/request.go
index fb058f9fbf..01ba1dc1fb 100644
--- a/src/net/http/request.go
+++ b/src/net/http/request.go
@@ -550,7 +550,12 @@ func (r *Request) write(w io.Writer, usingProxy bool, extraHeaders Header, waitF
ruri = r.URL.Opaque
}
}
- // TODO(bradfitz): escape at least newlines in ruri?
+ if strings.IndexFunc(ruri, isCTL) != -1 {
+ return errors.New("net/http: can't write control character in Request.URL")
+ }
+ // TODO: validate r.Method too? At least it's less likely to
+ // come from an attacker (more likely to be a constant in
+ // code).
// Wrap the writer in a bufio Writer if it's not already buffered.
// Don't always call NewWriter, as that forces a bytes.Buffer
generated by cgit v1.3 (git 2.53.0) at 2026-04-15 08:21:12 +0000