Skip to content

Commit 2d5ce9b

Browse files
committed
net/http: sanitize User-Agent header in request writer
Apply the same transformations to the User-Agent header value that we do to other headers. Avoids header and request smuggling in Request.Write and Request.WriteProxy. RoundTrip already validates values in Request.Header, and didn't allow bad User-Agent values to make it as far as the request writer. Fixes #61824 Change-Id: I360a915c7e08d014e0532bd5af196a5b59c89395 Reviewed-on: https://go-review.googlesource.com/c/go/+/516836 Reviewed-by: Jonathan Amsterdam <[email protected]> Run-TryBot: Damien Neil <[email protected]> TryBot-Result: Gopher Robot <[email protected]>
1 parent 6e43407 commit 2d5ce9b

File tree

2 files changed

+21
-0
lines changed

2 files changed

+21
-0
lines changed

src/net/http/request.go

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -669,6 +669,8 @@ func (r *Request) write(w io.Writer, usingProxy bool, extraHeaders Header, waitF
669669
userAgent = r.Header.Get("User-Agent")
670670
}
671671
if userAgent != "" {
672+
userAgent = headerNewlineToSpace.Replace(userAgent)
673+
userAgent = textproto.TrimString(userAgent)
672674
_, err = fmt.Fprintf(w, "User-Agent: %s\r\n", userAgent)
673675
if err != nil {
674676
return err

src/net/http/request_test.go

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -787,6 +787,25 @@ func TestRequestBadHostHeader(t *testing.T) {
787787
}
788788
}
789789

790+
func TestRequestBadUserAgent(t *testing.T) {
791+
got := []string{}
792+
req, err := NewRequest("GET", "http://foo/after", nil)
793+
if err != nil {
794+
t.Fatal(err)
795+
}
796+
req.Header.Set("User-Agent", "evil\r\nX-Evil: evil")
797+
req.Write(logWrites{t, &got})
798+
want := []string{
799+
"GET /after HTTP/1.1\r\n",
800+
"Host: foo\r\n",
801+
"User-Agent: evil X-Evil: evil\r\n",
802+
"\r\n",
803+
}
804+
if !reflect.DeepEqual(got, want) {
805+
t.Errorf("Writes = %q\n Want = %q", got, want)
806+
}
807+
}
808+
790809
func TestStarRequest(t *testing.T) {
791810
req, err := ReadRequest(bufio.NewReader(strings.NewReader("M-SEARCH * HTTP/1.1\r\n\r\n")))
792811
if err != nil {

0 commit comments

Comments
 (0)