Open
Description
What version of Go are you using (go version
)?
go version devel +5a5223297a Wed Nov 1 11:43:41 2017 -0700 windows/amd64
Does this issue reproduce with the latest release?
yes
What operating system and processor architecture are you using (go env
)?
Windows 7 64bit
What did you do?
package main
import (
"fmt"
"log"
"net/url"
)
func main() {
u, err := url.Parse("http://foo@evil.com:80@google.com/")
if err != nil {
log.Fatal(err)
}
fmt.Printf("%#v\n", u)
fmt.Printf("%#v\n", u.User)
}
https://play.golang.org/p/HFm27EmRPU
What did you expect to see?
error should be returned
What did you see instead?
no errors.
In this slide, some URL parsers are mentioned. And seems to be different from cURL. RFC3986 says username is filled with unreserved / pct-encoded / sub-delims
.
userinfo = *( unreserved / pct-encoded / sub-delims / ":" )
pct-encoded = "%" HEXDIG HEXDIG
sub-delims = "!" / "$" / "&" / "'" / "(" / ")"
/ "*" / "+" / "," / ";" / "="
https://tools.ietf.org/html/rfc3986
And whatwg-url says
If the @ flag is set, prepend "%40" to buffer.
https://url.spec.whatwg.org/#authority-state
Go's implementation find @
in authority with using strings.LastIndex
.
Line 535 in 5d0cab0
If implementation should be strictly in RFC3986 and whatwg-url, multiple @ should be treated as error, I think.
related issue #3439