Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

net/http: on CheckRedirect failure, error message should refer to the original (redirected) URL, not the rejected redirect #34080

Open
bcmills opened this issue Sep 4, 2019 · 0 comments

Comments

@bcmills
Copy link
Member

commented Sep 4, 2019

What version of Go are you using (go version)?

example.com$ go1.13 version
go version go1.13 linux/amd64

Does this issue reproduce with the latest release?

Yes.

What operating system and processor architecture are you using (go env)?

go env Output
example.com$ go1.13 env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/usr/local/google/home/bcmills/.cache/go-build"
GOENV="/usr/local/google/home/bcmills/.config/go/env"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/tmp/tmp.V4fL5k5JdS/_gopath"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/google/home/bcmills/sdk/go1.13"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/google/home/bcmills/sdk/go1.13/pkg/tool/linux_amd64"
GCCGO="/usr/local/google/home/bcmills/bin/gccgo"
AR="ar"
CC="gcc"
CXX="c++"
CGO_ENABLED="1"
GOMOD="/tmp/tmp.V4fL5k5JdS/example.com/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build400745746=/tmp/go-build -gno-record-gcc-switches"

What did you do?

Ran the program found at https://play.golang.org/p/42egMHzeuTR.

example.com$ cat >./main.go <<EOF
package main

import (
	"fmt"
	"net/http"
)

var securityPreservingHTTPClient = &http.Client{
	CheckRedirect: func(req *http.Request, via []*http.Request) error {
		if len(via) > 0 && via[0].URL.Scheme == "https" && req.URL.Scheme != "https" {
			lastHop := via[len(via)-1].URL
			return fmt.Errorf("redirected from secure URL %s to insecure URL %s", lastHop, req.URL)
		}
		return nil
	},
}

func main() {
	_, err := securityPreservingHTTPClient.Get("https://vcs-test.golang.org/insecure/go/insecure")
	fmt.Println(err)
}
EOF

example.com$ cat >./go.mod <<EOF
module example.com

go 1.13
EOF

example.com$ go1.13 run .

What did you expect to see?

Get "https://vcs-test.golang.org/insecure/go/insecure": redirected from secure URL https://vcs-test.golang.org/insecure/go/insecure to insecure URL http://vcs-test.golang.org/go/insecure

Since the http.Client should not have attempted to fetch the insecure URL in the first place, the insecure URL should not be the one reported for the failed Get operation.

What did you see instead?

Get "http://vcs-test.golang.org/go/insecure": redirected from secure URL https://vcs-test.golang.org/insecure/go/insecure to insecure URL http://vcs-test.golang.org/go/insecure

The URL that follows the Get token is one for which no HTTP GET was actually attempted.

CC @bradfitz

@bcmills bcmills added this to the Go1.14 milestone Sep 4, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
1 participant
You can’t perform that action at this time.