diff options
author | Brad Fitzpatrick <bradfitz@golang.org> | 2019-01-29 17:22:36 +0000 |
---|---|---|
committer | Brad Fitzpatrick <bradfitz@golang.org> | 2019-01-29 20:42:54 +0000 |
commit | f1d662f34788f4a5f087581d0951cdf4e0f6e708 (patch) | |
tree | c623103182af8161447152d11c1c94f5cb41532c /src/net/http/request.go | |
parent | d34c0dbc17e61e9e7a15355e75b9578d7d024f52 (diff) | |
download | go-f1d662f34788f4a5f087581d0951cdf4e0f6e708.tar.gz go-f1d662f34788f4a5f087581d0951cdf4e0f6e708.zip |
net/url, net/http: relax CTL-in-URL validation to only ASCII CTLs
CL 159157 was doing UTF-8 decoding of URLs. URLs aren't really UTF-8,
even if sometimes they are in some contexts.
Instead, only reject ASCII CTLs.
Updates #27302
Updates #22907
Change-Id: Ibd64efa5d3a93263d175aadf1c9f87deb4670c62
Reviewed-on: https://go-review.googlesource.com/c/160178
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
Diffstat (limited to 'src/net/http/request.go')
-rw-r--r-- | src/net/http/request.go | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/net/http/request.go b/src/net/http/request.go index 01ba1dc1fb..dcad2b6fab 100644 --- a/src/net/http/request.go +++ b/src/net/http/request.go @@ -550,7 +550,7 @@ func (r *Request) write(w io.Writer, usingProxy bool, extraHeaders Header, waitF ruri = r.URL.Opaque } } - if strings.IndexFunc(ruri, isCTL) != -1 { + if stringContainsCTLByte(ruri) { return errors.New("net/http: can't write control character in Request.URL") } // TODO: validate r.Method too? At least it's less likely to |