Skip to content

net/url: Parse accepts invalid userinfo strings #23392

New issue
New issue
Closed
Closed
net/url: Parse accepts invalid userinfo strings#23392
Labels
CherryPickApprovedUsed during the release process for point releasesFrozenDueToAgeNeedsFixThe path to resolution is known, but the work has not been done.Security
Milestone
Go1.9.3
@bradfitz

Description

@bradfitz
bradfitz
opened on Jan 9, 2018

@adamdecaf reported that net/url.Parse accepts URLs with userinfo components containing just about anything (newlines and random non-ASCII Unicode).

This could be a security problem if people use the resulting URL.User.Username & Password without further validation.

Metadata

Metadata

Assignees

No one assigned

    Labels

    CherryPickApprovedUsed during the release process for point releasesFrozenDueToAgeNeedsFixThe path to resolution is known, but the work has not been done.Security

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions