From 917949cc1d16c652cb09ba369718f45e5d814d8f Mon Sep 17 00:00:00 2001
From: Damien Neil <dneil@google.com>
Date: Thu, 26 Mar 2026 15:13:56 -0400
Subject: [release-branch.go1.26] net/url: permit colons in the host
 subcomponent of non-http/https URLs

Too many systems seem to rely on net/url accepting invalid URLs with
colons in the host subcomponent. Rather than adding exceptions for
each (PostgreSQL, MongoDB, Redis, etc.), limit the strict validation
to http/https only.

This backport CL also includes test-only changes from CL 751360.

For #78077
Fixes #78111

Change-Id: I851c82eb3505297013269d71dc626a4c1c202c82
Reviewed-on: https://go-review.googlesource.com/c/go/+/758900
Reviewed-by: Roland Shoemaker <roland@golang.org>
Auto-Submit: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/759662
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
---
 src/net/url/url.go      | 28 ++++++++++++++++------------
 src/net/url/url_test.go | 21 +++++++++++++++++++++
 2 files changed, 37 insertions(+), 12 deletions(-)

diff --git a/src/net/url/url.go b/src/net/url/url.go
index 3e612c5261..ead6fae3dd 100644
--- a/src/net/url/url.go
+++ b/src/net/url/url.go
@@ -606,18 +606,22 @@ func parseHost(scheme, host string) (string, error) {
 	} else if i := strings.Index(host, ":"); i != -1 {
 		lastColon := strings.LastIndex(host, ":")
 		if lastColon != i {
-			if scheme == "postgresql" || scheme == "postgres" {
-				// PostgreSQL relies on non-RFC-3986 parsing to accept
-				// a comma-separated list of hosts (with optional ports)
-				// in the host subcomponent:
-				// https://www.postgresql.org/docs/11/libpq-connect.html#LIBPQ-MULTIPLE-HOSTS
-				//
-				// Since we historically permitted colons to appear in the host,
-				// continue to permit it for postgres:// URLs only.
-				// https://go.dev/issue/75223
-				i = lastColon
-			} else if urlstrictcolons.Value() == "0" {
-				urlstrictcolons.IncNonDefault()
+			// RFC 3986 does not allow colons to appear in the host subcomponent.
+			//
+			// However, a number of databases including PostgreSQL and MongoDB
+			// permit a comma-separated list of hosts (with optional ports) in the
+			// host subcomponent.
+			//
+			// Since we historically permitted colons to appear in the host,
+			// enforce strict colons only for http and https URLs.
+			//
+			// See https://go.dev/issue/75223 and https://go.dev/issue/78077.
+			if scheme == "http" || scheme == "https" {
+				if urlstrictcolons.Value() == "0" {
+					urlstrictcolons.IncNonDefault()
+					i = lastColon
+				}
+			} else {
 				i = lastColon
 			}
 		}
diff --git a/src/net/url/url_test.go b/src/net/url/url_test.go
index f0f3f97800..7bf008cf15 100644
--- a/src/net/url/url_test.go
+++ b/src/net/url/url_test.go
@@ -626,6 +626,27 @@ var urltests = []URLTest{
 		},
 		"postgresql://host1:1,host2:2,host3:3",
 	},
+	// Mongodb URLs can include a comma-separated list of host:post hosts.
+	{
+		"mongodb://user:password@host1:1,host2:2,host3:3",
+		&URL{
+			Scheme: "mongodb",
+			User:   UserPassword("user", "password"),
+			Host:   "host1:1,host2:2,host3:3",
+			Path:   "",
+		},
+		"",
+	},
+	{
+		"mongodb+srv://user:password@host1:1,host2:2,host3:3",
+		&URL{
+			Scheme: "mongodb+srv",
+			User:   UserPassword("user", "password"),
+			Host:   "host1:1,host2:2,host3:3",
+			Path:   "",
+		},
+		"",
+	},
 }
 
 // more useful string for debugging than fmt's struct printer
-- 
cgit v1.3