From 2d5ce9b729c0edded841301bd73d68d5e95aa28b Mon Sep 17 00:00:00 2001
From: Damien Neil <dneil@google.com>
Date: Mon, 7 Aug 2023 15:57:54 -0700
Subject: net/http: sanitize User-Agent header in request writer

Apply the same transformations to the User-Agent header value that we
do to other headers.

Avoids header and request smuggling in Request.Write and
Request.WriteProxy. RoundTrip already validates values in
Request.Header, and didn't allow bad User-Agent values to
make it as far as the request writer.

Fixes #61824

Change-Id: I360a915c7e08d014e0532bd5af196a5b59c89395
Reviewed-on: https://go-review.googlesource.com/c/go/+/516836
Reviewed-by: Jonathan Amsterdam <jba@google.com>
Run-TryBot: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
---
 src/net/http/request.go | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'src/net/http/request.go')

diff --git a/src/net/http/request.go b/src/net/http/request.go
index d1fbd5df90..0fb73c12b5 100644
--- a/src/net/http/request.go
+++ b/src/net/http/request.go
@@ -669,6 +669,8 @@ func (r *Request) write(w io.Writer, usingProxy bool, extraHeaders Header, waitF
 		userAgent = r.Header.Get("User-Agent")
 	}
 	if userAgent != "" {
+		userAgent = headerNewlineToSpace.Replace(userAgent)
+		userAgent = textproto.TrimString(userAgent)
 		_, err = fmt.Fprintf(w, "User-Agent: %s\r\n", userAgent)
 		if err != nil {
 			return err
-- 
cgit v1.3