IP address with space may not be canonicallzed as intended.

[jscannell]

In urls.go there is this comment:

           // The Windows resolver allows a 4-part dotted decimal IP address to have a
           // space followed by any old rubbish, so long as the total length of the
           // string doesn't get above 15 characters. So, "10.192.95.89 xy" is
           // resolved to 10.192.95.89. If the string length is greater than 15
           // characters, e.g. "10.192.95.89 xy.wildcard.example.com", it will be
           // resolved through DNS.

This is really important as it’s yet another way an attacker could potentially bypass the system. There is a test that covers this case by testing the string "10.192.95.89 xy". However, this test only covers the parseIPAddress function. When this same string is passed through the canonicalURL function it fails because the host is escaped and thus the string passed to parseIPAddress is "10.192.95.89%20xy". It might be a good idea to run all test cases through canonicalURL (which is what I did.)

[thatjiaozi]

Hi! Thanks for your report, I will submit a fix for this ASAP! Please let us know if you find any other issues with this client library.