diff options
Diffstat (limited to 'src/net/http/request.go')
-rw-r--r-- | src/net/http/request.go | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/src/net/http/request.go b/src/net/http/request.go index c9642e55c2..29e066d244 100644 --- a/src/net/http/request.go +++ b/src/net/http/request.go @@ -528,7 +528,12 @@ func (r *Request) write(w io.Writer, usingProxy bool, extraHeaders Header, waitF // CONNECT requests normally give just the host and port, not a full URL. ruri = host } - // TODO(bradfitz): escape at least newlines in ruri? + if stringContainsCTLByte(ruri) { + return errors.New("net/http: can't write control character in Request.URL") + } + // TODO: validate r.Method too? At least it's less likely to + // come from an attacker (more likely to be a constant in + // code). // Wrap the writer in a bufio Writer if it's not already buffered. // Don't always call NewWriter, as that forces a bytes.Buffer |