Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

net/http: client should not include raw header values in error messages #43631

Open
eli-darkly opened this issue Jan 11, 2021 · 3 comments
Open

net/http: client should not include raw header values in error messages #43631

eli-darkly opened this issue Jan 11, 2021 · 3 comments

Comments

@eli-darkly
Copy link

@eli-darkly eli-darkly commented Jan 11, 2021

What version of Go are you using (go version)?

$ go version
go version go1.15.6 darwin/amd64

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/Users/elibishop/Library/Caches/go-build"
GOENV="/Users/elibishop/Library/Application Support/go/env"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GOINSECURE=""
GOMODCACHE="/Users/elibishop/.gvm/pkgsets/go1.15.6/global/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="darwin"
GOPATH="/Users/elibishop/.gvm/pkgsets/go1.15.6/global"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/Users/elibishop/.gvm/gos/go1.15.6"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/Users/elibishop/.gvm/gos/go1.15.6/pkg/tool/darwin_amd64"
GCCGO="gccgo"
AR="ar"
CC="clang"
CXX="clang++"
CGO_ENABLED="1"
GOMOD="/Users/elibishop/work/test/goheaderbug/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/c8/g71crjpd18nc6jkdykcvp_ww0000gn/T/go-build182950335=/tmp/go-build -gno-record-gcc-switches -fno-common"

What did you do?

package main

import (
	"fmt"
	"net/http"
)

func main() {
	req, _ := http.NewRequest("GET", "http://worldtimeapi.org/api/timezone", nil)
	req.Header.Add("Authorization", "my-secret-key\n")
	_, err := http.DefaultClient.Do(req)
	fmt.Println(err)
}

What did you expect to see?

Since a newline isn't a valid character in an HTTP header value, I would expect Go's HTTP client to return an error complaining about a bad header. And it does, but...

What did you see instead?

Get "http://worldtimeapi.org/api/timezone": net/http: invalid header field value "my-secret-key\n" for key Authorization

I think it's highly undesirable to include the full actual header value in an error message like this, since it's very common to write the message for any I/O error into the application log. In this particular example it's especially inappropriate since this is specifically the Authorization header, whose value is virtually guaranteed to be sensitive information, but really any header value could be sensitive.

This is not a contrived example - one of our customers accidentally included a newline suffix in the API key they provided to our library, and they were very unhappy to see that the key ended up in their log because our code was logging I/O errors.

@ianlancetaylor ianlancetaylor changed the title HTTP client should not include raw header values in error messages net/http: client should not include raw header values in error messages Jan 11, 2021
@ianlancetaylor ianlancetaylor added this to the Backlog milestone Jan 11, 2021
@ianlancetaylor
Copy link
Contributor

@ianlancetaylor ianlancetaylor commented Jan 11, 2021

@gopherbot
Copy link

@gopherbot gopherbot commented Oct 14, 2021

Change https://golang.org/cl/355929 mentions this issue: net/http: omit invalid header value from error message

@gopherbot
Copy link

@gopherbot gopherbot commented Oct 14, 2021

Change https://golang.org/cl/355930 mentions this issue: net/http2: omit invalid header value from error message

AlexanderYastrebov added a commit to AlexanderYastrebov/go that referenced this issue Oct 14, 2021
AlexanderYastrebov added a commit to AlexanderYastrebov/net that referenced this issue Oct 14, 2021
AlexanderYastrebov added a commit to AlexanderYastrebov/go that referenced this issue Oct 14, 2021
Invalid value may contain sensitive data.

Updates golang#43631
AlexanderYastrebov added a commit to AlexanderYastrebov/net that referenced this issue Oct 15, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants