net/url: parseHost doesn't valid ports or contents after IPv6 literals

Question

net/url: parseHost doesn't valid ports or contents after IPv6 literals

dvyukov opened this issue 9 years ago · 5 comments

URL parsing allows %-ending after [], which allows weird things like:

package main

import (
    "bufio"
    "bytes"
    "net/http"
    "os"
)

func main() {
    data := []byte("CONNECT []%20%48%54%54%50%2f%31%2e%31%0a%4d%79%48%65%61%64%65%72%3a%20%31%32%33%0a%0a HTTP/1.0\n\n")
    r, err := http.ReadRequest(bufio.NewReader(bytes.NewReader(data)))
    if err != nil {
        panic(err)
    }
    r.WriteProxy(os.Stdout)
}

CONNECT [] HTTP/1.1
MyHeader: 123

 HTTP/1.1
Host: [] HTTP/1.1
MyHeader: 123


User-Agent: Go 1.1

%-ending must be allowed only inside of []

go version devel +a1fe3b5 Sat Jun 13 04:33:26 2015 +0000 linux/amd64

Answer 1 · 2015-06-24T11:34:49.000Z

What is special about []? You can have %xx in GET /foo?req=%41 too.

Or is the bug here that we write out bogus newlines in Request.Write? That looks wrong.

Answer 2 · 2015-06-24T11:42:07.000Z

Sorry, this is about host. % is not otherwise allowed in host, but after [] it is.

Answer 3 · 2015-06-24T14:51:38.000Z

https://go-review.googlesource.com/11414

/cc @mikioh

Answer 4 · 2015-06-24T15:06:41.000Z

CL https://golang.org/cl/11414 mentions this issue.

Answer 5 · 2015-08-06T02:00:26.000Z

CL https://golang.org/cl/13253 mentions this issue.