From 829c5df58694b3345cb5ea41206783c8ccf5c3ca Mon Sep 17 00:00:00 2001 From: Brad Fitzpatrick Date: Wed, 23 Jan 2019 19:09:07 +0000 Subject: net/url, net/http: reject control characters in URLs This is a more conservative version of the reverted CL 99135 (which was reverted in CL 137716) The net/url part rejects URLs with ASCII CTLs from being parsed and the net/http part rejects writing them if a bogus url.URL is constructed otherwise. Updates #27302 Updates #22907 Change-Id: I09a2212eb74c63db575223277aec363c55421ed8 Reviewed-on: https://go-review.googlesource.com/c/159157 Run-TryBot: Brad Fitzpatrick TryBot-Result: Gobot Gobot Reviewed-by: Filippo Valsorda --- src/net/http/request.go | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'src/net/http/request.go') diff --git a/src/net/http/request.go b/src/net/http/request.go index fb058f9fbf..01ba1dc1fb 100644 --- a/src/net/http/request.go +++ b/src/net/http/request.go @@ -550,7 +550,12 @@ func (r *Request) write(w io.Writer, usingProxy bool, extraHeaders Header, waitF ruri = r.URL.Opaque } } - // TODO(bradfitz): escape at least newlines in ruri? + if strings.IndexFunc(ruri, isCTL) != -1 { + return errors.New("net/http: can't write control character in Request.URL") + } + // TODO: validate r.Method too? At least it's less likely to + // come from an attacker (more likely to be a constant in + // code). // Wrap the writer in a bufio Writer if it's not already buffered. // Don't always call NewWriter, as that forces a bytes.Buffer -- cgit v1.3-6-g1900