net/url: username in authority is not strictly in RFC3986 #22655
Labels
NeedsInvestigation
Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
What version of Go are you using (
go version
)?go version devel +5a5223297a Wed Nov 1 11:43:41 2017 -0700 windows/amd64
Does this issue reproduce with the latest release?
yes
What operating system and processor architecture are you using (
go env
)?Windows 7 64bit
What did you do?
https://play.golang.org/p/HFm27EmRPU
What did you expect to see?
error should be returned
What did you see instead?
no errors.
https://www.blackhat.com/docs/us-17/thursday/us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf
In this slide, some URL parsers are mentioned. And seems to be different from cURL. RFC3986 says username is filled with
unreserved / pct-encoded / sub-delims
.https://tools.ietf.org/html/rfc3986
And whatwg-url says
https://url.spec.whatwg.org/#authority-state
Go's implementation find
@
in authority with usingstrings.LastIndex
.go/src/net/url/url.go
Line 535 in 5d0cab0
If implementation should be strictly in RFC3986 and whatwg-url, multiple @ should be treated as error, I think.
related issue #3439
The text was updated successfully, but these errors were encountered: