net/http: strip escaped password from error

Using password that returns from User.Password() won't work in this case because password in Userinfo already unescaped. The solution is uses User.String() to escape password back again and then stringify it to error. Fixes #31808 Change-Id: I723aafd5a57a5b69f2dd7d3a21b82ebbd4174451 Reviewed-on: https://go-review.googlesource.com/c/go/+/175018 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>
golang · May 3, 2019 · 2c67cdf · 2c67cdf
1 parent f5c43b9
commit 2c67cdf
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 3 deletions.
diff --git a/src/net/http/client.go b/src/net/http/client.go
@@ -926,10 +926,9 @@ func isDomainOrSubdomain(sub, parent string) bool {
 }
 
 func stripPassword(u *url.URL) string {
-	pass, passSet := u.User.Password()
+	_, passSet := u.User.Password()
 	if passSet {
-		return strings.Replace(u.String(), pass+"@", "***@", 1)
+		return strings.Replace(u.String(), u.User.String()+"@", u.User.Username()+":***@", 1)
 	}
-
 	return u.String()
 }
diff --git a/src/net/http/client_test.go b/src/net/http/client_test.go
@@ -1184,6 +1184,11 @@ func TestStripPasswordFromError(t *testing.T) {
 			in:   "http://user:password@dummy.faketld/password",
 			out:  "Get http://user:***@dummy.faketld/password: dummy impl",
 		},
+		{
+			desc: "Strip escaped password",
+			in:   "http://user:pa%2Fssword@dummy.faketld/",
+			out:  "Get http://user:***@dummy.faketld/: dummy impl",
+		},
 	}
 	for _, tC := range testCases {
 		t.Run(tC.desc, func(t *testing.T) {