New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

net/url: URL allows malformed query round trip [1.10 backport] #29922

Closed
gopherbot opened this Issue Jan 24, 2019 · 6 comments

Comments

Projects
None yet
4 participants
@gopherbot
Copy link

gopherbot commented Jan 24, 2019

@FiloSottile requested issue #22907 to be considered for backport to the next 1.10 minor release.

@gopherbot please open backport issues.

This has security implications, and CL 159157 is safe enough to backport.

@dmitshur

This comment has been minimized.

Copy link
Member

dmitshur commented Jan 24, 2019

I will make a cherry-pick CL for this.

I am using this as an opportunity to verify an answer I am planning to provide to this question.

@gopherbot

This comment has been minimized.

Copy link
Author

gopherbot commented Jan 24, 2019

Change https://golang.org/cl/159478 mentions this issue: [release-branch.go1.10] net/url, net/http: reject control characters in URLs

@dmitshur

This comment has been minimized.

Copy link
Member

dmitshur commented Jan 31, 2019

@bradfitz In CL 159478, you said:

[Code-Review -2] We're going to backport the later fix instead.

Should this issue lose its CherryPickApproved label and/or be closed? Or are you going to re-use it to backport that different fix (as mentioned in #29923 (comment))? In any case, leaving to you.

@FiloSottile

This comment has been minimized.

Copy link
Member

FiloSottile commented Jan 31, 2019

This should stay open until we backport something.

@gopherbot

This comment has been minimized.

Copy link
Author

gopherbot commented Jan 31, 2019

Change https://golang.org/cl/160678 mentions this issue: [release-branch.go1.10] net/http, net/url: reject control characters in URLs

@gopherbot

This comment has been minimized.

Copy link
Author

gopherbot commented Feb 1, 2019

Closed by merging d4cf10b to release-branch.go1.10.

@gopherbot gopherbot closed this Feb 1, 2019

gopherbot pushed a commit that referenced this issue Feb 1, 2019

[release-branch.go1.10] net/http, net/url: reject control characters …
…in URLs

Cherry pick of combined CL 159157 + CL 160178.

Fixes #29922
Updates #27302
Updates #22907

Change-Id: I6de92c14284595a58321a4b4d53229285979b872
Reviewed-on: https://go-review.googlesource.com/c/160678
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment