From 2d5ce9b729c0edded841301bd73d68d5e95aa28b Mon Sep 17 00:00:00 2001 From: Damien Neil Date: Mon, 7 Aug 2023 15:57:54 -0700 Subject: net/http: sanitize User-Agent header in request writer Apply the same transformations to the User-Agent header value that we do to other headers. Avoids header and request smuggling in Request.Write and Request.WriteProxy. RoundTrip already validates values in Request.Header, and didn't allow bad User-Agent values to make it as far as the request writer. Fixes #61824 Change-Id: I360a915c7e08d014e0532bd5af196a5b59c89395 Reviewed-on: https://go-review.googlesource.com/c/go/+/516836 Reviewed-by: Jonathan Amsterdam Run-TryBot: Damien Neil TryBot-Result: Gopher Robot --- src/net/http/request_test.go | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) (limited to 'src/net/http/request_test.go') diff --git a/src/net/http/request_test.go b/src/net/http/request_test.go index a32b583c11..5711164894 100644 --- a/src/net/http/request_test.go +++ b/src/net/http/request_test.go @@ -787,6 +787,25 @@ func TestRequestBadHostHeader(t *testing.T) { } } +func TestRequestBadUserAgent(t *testing.T) { + got := []string{} + req, err := NewRequest("GET", "http://foo/after", nil) + if err != nil { + t.Fatal(err) + } + req.Header.Set("User-Agent", "evil\r\nX-Evil: evil") + req.Write(logWrites{t, &got}) + want := []string{ + "GET /after HTTP/1.1\r\n", + "Host: foo\r\n", + "User-Agent: evil X-Evil: evil\r\n", + "\r\n", + } + if !reflect.DeepEqual(got, want) { + t.Errorf("Writes = %q\n Want = %q", got, want) + } +} + func TestStarRequest(t *testing.T) { req, err := ReadRequest(bufio.NewReader(strings.NewReader("M-SEARCH * HTTP/1.1\r\n\r\n"))) if err != nil { -- cgit v1.3