net/http: error returned by Client may leak password

[arthurpaimarnold]

What version of Go are you using (go version)?

$ go version
go version go1.12.1 linux/amd64

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

go env Output

$ go env
GOARCH="amd64"
GOBIN=""
GOCACHE="/home/I859592/.cache/go-build"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOOS="linux"
GOPATH="/home/I859592/go"
GOPROXY=""
GORACE=""
GOROOT="/usr/local/go"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
GCCGO="gccgo"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build080205514=/tmp/go-build -gno-record-gcc-switches"

What did you do?

Perform an HTTP request that fails by returning an error message that does not contain the password.

Playground link: https://play.golang.org/p/1MA3niQ8-sG

What did you expect to see?

Password replaced with asterisks in the error message. As the Playground code shows, this does happen when the password doesn't contain any URL-encoded characters (probably from the fix for #24572).

What did you see instead?

Password with URL-encoded characters is visible in the error message.

[gopherbot]

Change https://golang.org/cl/175018 mentions this issue: net/http: strip escaped password from error