Description
The net/http Request.Write and Request.WriteProxy functions do not validate the contents of the User-Agent header. A maliciously-crafted User-Agent field can inject request headers or entire new requests into the output.
This does not affect requests sent using Transport.RoundTrip, which validates all header values in Request.Header.
This cannot affect proxied requests or requests read with http.ReadRequest, since we would reject the invalid header at read time.
Given the limited circumstances this applies to, I'm inclined to call it a simple bug rather than a vulnerability. If it is a vulnerability, it's difficult enough to exploit that it seems reasonable to call it PUBLIC track.
Thanks to RyotaK (https://ryotak.net/) for reporting this issue.