Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

net/http: client should not include raw header values in error messages #43631

Open
eli-darkly opened this issue Jan 11, 2021 · 1 comment
Open

net/http: client should not include raw header values in error messages #43631

eli-darkly opened this issue Jan 11, 2021 · 1 comment
Milestone

Comments

@eli-darkly
Copy link

@eli-darkly eli-darkly commented Jan 11, 2021

What version of Go are you using (go version)?

$ go version
go version go1.15.6 darwin/amd64

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/Users/elibishop/Library/Caches/go-build"
GOENV="/Users/elibishop/Library/Application Support/go/env"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GOINSECURE=""
GOMODCACHE="/Users/elibishop/.gvm/pkgsets/go1.15.6/global/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="darwin"
GOPATH="/Users/elibishop/.gvm/pkgsets/go1.15.6/global"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/Users/elibishop/.gvm/gos/go1.15.6"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/Users/elibishop/.gvm/gos/go1.15.6/pkg/tool/darwin_amd64"
GCCGO="gccgo"
AR="ar"
CC="clang"
CXX="clang++"
CGO_ENABLED="1"
GOMOD="/Users/elibishop/work/test/goheaderbug/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/c8/g71crjpd18nc6jkdykcvp_ww0000gn/T/go-build182950335=/tmp/go-build -gno-record-gcc-switches -fno-common"

What did you do?

package main

import (
	"fmt"
	"net/http"
)

func main() {
	req, _ := http.NewRequest("GET", "http://worldtimeapi.org/api/timezone", nil)
	req.Header.Add("Authorization", "my-secret-key\n")
	_, err := http.DefaultClient.Do(req)
	fmt.Println(err)
}

What did you expect to see?

Since a newline isn't a valid character in an HTTP header value, I would expect Go's HTTP client to return an error complaining about a bad header. And it does, but...

What did you see instead?

Get "http://worldtimeapi.org/api/timezone": net/http: invalid header field value "my-secret-key\n" for key Authorization

I think it's highly undesirable to include the full actual header value in an error message like this, since it's very common to write the message for any I/O error into the application log. In this particular example it's especially inappropriate since this is specifically the Authorization header, whose value is virtually guaranteed to be sensitive information, but really any header value could be sensitive.

This is not a contrived example - one of our customers accidentally included a newline suffix in the API key they provided to our library, and they were very unhappy to see that the key ended up in their log because our code was logging I/O errors.

@ianlancetaylor ianlancetaylor changed the title HTTP client should not include raw header values in error messages net/http: client should not include raw header values in error messages Jan 11, 2021
@ianlancetaylor ianlancetaylor added this to the Backlog milestone Jan 11, 2021
@ianlancetaylor
Copy link
Contributor

@ianlancetaylor ianlancetaylor commented Jan 11, 2021

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants
You can’t perform that action at this time.