|
|
1429da |
From eb0f2b3d27a896e4b832f2450490a2bbf72fbb6c Mon Sep 17 00:00:00 2001
|
|
|
1429da |
From: Brad Fitzpatrick <bradfitz@golang.org>
|
|
|
1429da |
Date: Thu, 31 Jan 2019 20:17:12 +0000
|
|
|
1429da |
Subject: [PATCH] [release-branch.go1.11] net/http, net/url: reject control
|
|
|
1429da |
characters in URLs
|
|
|
1429da |
|
|
|
1429da |
Cherry pick of combined CL 159157 + CL 160178.
|
|
|
1429da |
|
|
|
1429da |
Fixes #29923
|
|
|
1429da |
Updates #27302
|
|
|
1429da |
Updates #22907
|
|
|
1429da |
|
|
|
1429da |
Change-Id: I6de92c14284595a58321a4b4d53229285979b872
|
|
|
1429da |
Reviewed-on: https://go-review.googlesource.com/c/160798
|
|
|
1429da |
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
|
|
|
1429da |
TryBot-Result: Gobot Gobot <gobot@golang.org>
|
|
|
1429da |
Reviewed-by: Ian Lance Taylor <iant@golang.org>
|
|
|
1429da |
---
|
|
|
1429da |
src/net/http/fs_test.go | 15 +++++++++++----
|
|
|
1429da |
src/net/http/http.go | 11 +++++++++++
|
|
|
1429da |
src/net/http/request.go | 7 ++++++-
|
|
|
1429da |
src/net/http/requestwrite_test.go | 11 +++++++++++
|
|
|
1429da |
src/net/url/url.go | 15 +++++++++++++++
|
|
|
1429da |
src/net/url/url_test.go | 23 ++++++++++++++++++++++-
|
|
|
1429da |
6 files changed, 76 insertions(+), 6 deletions(-)
|
|
|
1429da |
|
|
|
1429da |
diff --git a/src/net/http/fs_test.go b/src/net/http/fs_test.go
|
|
|
1429da |
index 255d215f3cf..762e88b05ff 100644
|
|
|
1429da |
--- a/src/net/http/fs_test.go
|
|
|
1429da |
+++ b/src/net/http/fs_test.go
|
|
|
1429da |
@@ -583,16 +583,23 @@ func TestFileServerZeroByte(t *testing.T) {
|
|
|
1429da |
ts := httptest.NewServer(FileServer(Dir(".")))
|
|
|
1429da |
defer ts.Close()
|
|
|
1429da |
|
|
|
1429da |
- res, err := Get(ts.URL + "/..\x00")
|
|
|
1429da |
+ c, err := net.Dial("tcp", ts.Listener.Addr().String())
|
|
|
1429da |
if err != nil {
|
|
|
1429da |
t.Fatal(err)
|
|
|
1429da |
}
|
|
|
1429da |
- b, err := ioutil.ReadAll(res.Body)
|
|
|
1429da |
+ defer c.Close()
|
|
|
1429da |
+ _, err = fmt.Fprintf(c, "GET /..\x00 HTTP/1.0\r\n\r\n")
|
|
|
1429da |
+ if err != nil {
|
|
|
1429da |
+ t.Fatal(err)
|
|
|
1429da |
+ }
|
|
|
1429da |
+ var got bytes.Buffer
|
|
|
1429da |
+ bufr := bufio.NewReader(io.TeeReader(c, &got))
|
|
|
1429da |
+ res, err := ReadResponse(bufr, nil)
|
|
|
1429da |
if err != nil {
|
|
|
1429da |
- t.Fatal("reading Body:", err)
|
|
|
1429da |
+ t.Fatal("ReadResponse: ", err)
|
|
|
1429da |
}
|
|
|
1429da |
if res.StatusCode == 200 {
|
|
|
1429da |
- t.Errorf("got status 200; want an error. Body is:\n%s", string(b))
|
|
|
1429da |
+ t.Errorf("got status 200; want an error. Body is:\n%s", got.Bytes())
|
|
|
1429da |
}
|
|
|
1429da |
}
|
|
|
1429da |
|
|
|
1429da |
diff --git a/src/net/http/http.go b/src/net/http/http.go
|
|
|
1429da |
index ce0eceb1de3..07ca78dbc84 100644
|
|
|
1429da |
--- a/src/net/http/http.go
|
|
|
1429da |
+++ b/src/net/http/http.go
|
|
|
1429da |
@@ -59,6 +59,17 @@ func isASCII(s string) bool {
|
|
|
1429da |
return true
|
|
|
1429da |
}
|
|
|
1429da |
|
|
|
1429da |
+// stringContainsCTLByte reports whether s contains any ASCII control character.
|
|
|
1429da |
+func stringContainsCTLByte(s string) bool {
|
|
|
1429da |
+ for i := 0; i < len(s); i++ {
|
|
|
1429da |
+ b := s[i]
|
|
|
1429da |
+ if b < ' ' || b == 0x7f {
|
|
|
1429da |
+ return true
|
|
|
1429da |
+ }
|
|
|
1429da |
+ }
|
|
|
1429da |
+ return false
|
|
|
1429da |
+}
|
|
|
1429da |
+
|
|
|
1429da |
func hexEscapeNonASCII(s string) string {
|
|
|
1429da |
newLen := 0
|
|
|
1429da |
for i := 0; i < len(s); i++ {
|
|
|
1429da |
diff --git a/src/net/http/request.go b/src/net/http/request.go
|
|
|
1429da |
index a40b0a3cb83..e352386b083 100644
|
|
|
1429da |
--- a/src/net/http/request.go
|
|
|
1429da |
+++ b/src/net/http/request.go
|
|
|
1429da |
@@ -545,7 +545,12 @@ func (r *Request) write(w io.Writer, usingProxy bool, extraHeaders Header, waitF
|
|
|
1429da |
// CONNECT requests normally give just the host and port, not a full URL.
|
|
|
1429da |
ruri = host
|
|
|
1429da |
}
|
|
|
1429da |
- // TODO(bradfitz): escape at least newlines in ruri?
|
|
|
1429da |
+ if stringContainsCTLByte(ruri) {
|
|
|
1429da |
+ return errors.New("net/http: can't write control character in Request.URL")
|
|
|
1429da |
+ }
|
|
|
1429da |
+ // TODO: validate r.Method too? At least it's less likely to
|
|
|
1429da |
+ // come from an attacker (more likely to be a constant in
|
|
|
1429da |
+ // code).
|
|
|
1429da |
|
|
|
1429da |
// Wrap the writer in a bufio Writer if it's not already buffered.
|
|
|
1429da |
// Don't always call NewWriter, as that forces a bytes.Buffer
|
|
|
1429da |
diff --git a/src/net/http/requestwrite_test.go b/src/net/http/requestwrite_test.go
|
|
|
1429da |
index eb65b9f736f..3daab4b8b7b 100644
|
|
|
1429da |
--- a/src/net/http/requestwrite_test.go
|
|
|
1429da |
+++ b/src/net/http/requestwrite_test.go
|
|
|
1429da |
@@ -512,6 +512,17 @@ var reqWriteTests = []reqWriteTest{
|
|
|
1429da |
"User-Agent: Go-http-client/1.1\r\n" +
|
|
|
1429da |
"\r\n",
|
|
|
1429da |
},
|
|
|
1429da |
+
|
|
|
1429da |
+ 21: {
|
|
|
1429da |
+ Req: Request{
|
|
|
1429da |
+ Method: "GET",
|
|
|
1429da |
+ URL: &url.URL{
|
|
|
1429da |
+ Host: "www.example.com",
|
|
|
1429da |
+ RawQuery: "new\nline", // or any CTL
|
|
|
1429da |
+ },
|
|
|
1429da |
+ },
|
|
|
1429da |
+ WantError: errors.New("net/http: can't write control character in Request.URL"),
|
|
|
1429da |
+ },
|
|
|
1429da |
}
|
|
|
1429da |
|
|
|
1429da |
func TestRequestWrite(t *testing.T) {
|
|
|
1429da |
diff --git a/src/net/url/url.go b/src/net/url/url.go
|
|
|
1429da |
index 80eb7a86c8d..8d2a8566998 100644
|
|
|
1429da |
--- a/src/net/url/url.go
|
|
|
1429da |
+++ b/src/net/url/url.go
|
|
|
1429da |
@@ -494,6 +494,10 @@ func parse(rawurl string, viaRequest bool) (*URL, error) {
|
|
|
1429da |
var rest string
|
|
|
1429da |
var err error
|
|
|
1429da |
|
|
|
1429da |
+ if stringContainsCTLByte(rawurl) {
|
|
|
1429da |
+ return nil, errors.New("net/url: invalid control character in URL")
|
|
|
1429da |
+ }
|
|
|
1429da |
+
|
|
|
1429da |
if rawurl == "" && viaRequest {
|
|
|
1429da |
return nil, errors.New("empty url")
|
|
|
1429da |
}
|
|
|
1429da |
@@ -1114,3 +1118,14 @@ func validUserinfo(s string) bool {
|
|
|
1429da |
}
|
|
|
1429da |
return true
|
|
|
1429da |
}
|
|
|
1429da |
+
|
|
|
1429da |
+// stringContainsCTLByte reports whether s contains any ASCII control character.
|
|
|
1429da |
+func stringContainsCTLByte(s string) bool {
|
|
|
1429da |
+ for i := 0; i < len(s); i++ {
|
|
|
1429da |
+ b := s[i]
|
|
|
1429da |
+ if b < ' ' || b == 0x7f {
|
|
|
1429da |
+ return true
|
|
|
1429da |
+ }
|
|
|
1429da |
+ }
|
|
|
1429da |
+ return false
|
|
|
1429da |
+}
|
|
|
1429da |
diff --git a/src/net/url/url_test.go b/src/net/url/url_test.go
|
|
|
1429da |
index 9043a844e88..369ea6cbd25 100644
|
|
|
1429da |
--- a/src/net/url/url_test.go
|
|
|
1429da |
+++ b/src/net/url/url_test.go
|
|
|
1429da |
@@ -1738,8 +1738,29 @@ func TestNilUser(t *testing.T) {
|
|
|
1429da |
}
|
|
|
1429da |
|
|
|
1429da |
func TestInvalidUserPassword(t *testing.T) {
|
|
|
1429da |
- _, err := Parse("http://us\ner:pass\nword@foo.com/")
|
|
|
1429da |
+ _, err := Parse("http://user^:passwo^rd@foo.com/")
|
|
|
1429da |
if got, wantsub := fmt.Sprint(err), "net/url: invalid userinfo"; !strings.Contains(got, wantsub) {
|
|
|
1429da |
t.Errorf("error = %q; want substring %q", got, wantsub)
|
|
|
1429da |
}
|
|
|
1429da |
}
|
|
|
1429da |
+
|
|
|
1429da |
+func TestRejectControlCharacters(t *testing.T) {
|
|
|
1429da |
+ tests := []string{
|
|
|
1429da |
+ "http://foo.com/?foo\nbar",
|
|
|
1429da |
+ "http\r://foo.com/",
|
|
|
1429da |
+ "http://foo\x7f.com/",
|
|
|
1429da |
+ }
|
|
|
1429da |
+ for _, s := range tests {
|
|
|
1429da |
+ _, err := Parse(s)
|
|
|
1429da |
+ const wantSub = "net/url: invalid control character in URL"
|
|
|
1429da |
+ if got := fmt.Sprint(err); !strings.Contains(got, wantSub) {
|
|
|
1429da |
+ t.Errorf("Parse(%q) error = %q; want substring %q", s, got, wantSub)
|
|
|
1429da |
+ }
|
|
|
1429da |
+ }
|
|
|
1429da |
+
|
|
|
1429da |
+ // But don't reject non-ASCII CTLs, at least for now:
|
|
|
1429da |
+ if _, err := Parse("http://foo.com/ctl\x80"); err != nil {
|
|
|
1429da |
+ t.Errorf("error parsing URL with non-ASCII control byte: %v", err)
|
|
|
1429da |
+ }
|
|
|
1429da |
+
|
|
|
1429da |
+}
|