Skip to content

net/url: Parse accepts invalid userinfo strings #23392

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
bradfitz opened this issue Jan 9, 2018 · 9 comments
Closed

net/url: Parse accepts invalid userinfo strings #23392

bradfitz opened this issue Jan 9, 2018 · 9 comments
Labels
CherryPickApproved Used during the release process for point releases FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done. Security
Milestone
Go1.9.3

Comments

@bradfitz
Copy link
Contributor

bradfitz commented Jan 9, 2018

@adamdecaf reported that net/url.Parse accepts URLs with userinfo components containing just about anything (newlines and random non-ASCII Unicode).

This could be a security problem if people use the resulting URL.User.Username & Password without further validation.
@bradfitz bradfitz added Security NeedsFix The path to resolution is known, but the work has not been done. labels Jan 9, 2018
@bradfitz bradfitz added this to the Go1.10 milestone Jan 9, 2018
@bradfitz bradfitz self-assigned this Jan 9, 2018
@gopherbot
Copy link
Contributor

Change https://golang.org/cl/87038 mentions this issue: net/url: reject invalid userinfo values when parsing URLs

@bradfitz bradfitz modified the milestones: Go1.10, Go1.9.3 Jan 10, 2018
@bradfitz bradfitz reopened this Jan 10, 2018
@andybons
Copy link
Member

andybons commented Jan 18, 2018
edited
Loading

CL 88535 OK for Go 1.9.3.

@andybons andybons mentioned this issue Jan 18, 2018
Closed
@andybons andybons added the CherryPickApproved Used during the release process for point releases label Jan 18, 2018
This was referenced Jan 18, 2018
Closed
Closed
@gopherbot
Copy link
Contributor

Change https://golang.org/cl/88535 mentions this issue: [release-branch.go1.9] net/url: reject invalid userinfo values when parsing URLs

gopherbot pushed a commit that referenced this issue Jan 22, 2018
@bradfitz @andybons
[release-branch.go1.9] net/url: reject invalid userinfo values when p…
0a72be2 
…arsing URLs

Fixes #23392

Change-Id: I5822b082b14d886b9c3b5ad7beebb2c01a77851b
Reviewed-on: https://go-review.googlesource.com/87038
Run-TryBot: Brad Fitzpatrick <[email protected]>
TryBot-Result: Gobot Gobot <[email protected]>
Reviewed-by: Ian Lance Taylor <[email protected]>
Reviewed-on: https://go-review.googlesource.com/88535
Run-TryBot: Andrew Bonventre <[email protected]>
@andybons
Copy link
Member

go1.9.3 has been packaged and includes:

  • CL 88535 [release-branch.go1.9] net/url: reject invalid userinfo values when parsing URLs

The release is posted at golang.org/dl.

— golang.org/x/build/cmd/releasebot, Jan 22 21:02:59 UTC

@ernsheong
Copy link

ernsheong commented Jan 27, 2018
edited
Loading

My application stopped talking to the database. Turns out database password contained a [ which isn't whitelisted 😭 Bad idea to have symbols in DB password I guess.

@adamdecaf
Copy link
Contributor

Oh.. How were you parsing/handling the uri?

@ernsheong
Copy link

I was using https://github.com/jackc/pgx, which was using net/url to do it

@adamdecaf
Copy link
Contributor

adamdecaf commented Jan 28, 2018
edited
Loading

Percent encoding passes fine for me. From https://stackoverflow.com/questions/23353623/how-to-handle-special-characters-in-the-password-of-a-postgresql-url-connection

package main

import (
	"fmt"
	"net/url"
)

func main() {
	// raw := "postgresql://daniel:p$ass@localhost/test"
	raw := "postgresql://daniel:p%24ass@localhost"

	fmt.Printf("RAW: %q\n", raw)
	u, err := url.Parse(raw)
	if err != nil {
		fmt.Printf("ERROR: %v\n", err)
	}
	fmt.Println(u.String())
}
$ go run /tmp/jdbc.go 
RAW: "postgresql://daniel:p%24ass@localhost"
postgresql://daniel:p$ass@localhost

Edit: I tried with ] also.

$ go run /tmp/jdbc.go 
RAW: "postgresql://daniel:p%5Bass@localhost"
postgresql://daniel:p%5Bass@localhost

@bradfitz bradfitz mentioned this issue Feb 1, 2018
Closed
@AlphaWong
Copy link

I would like to know did all those changes pass the test in OSX as I can get an & operator in arch Linux but my workmate get a \u0026 in his macbook.

After I use the docker image 1.8-apline
This issue got.

I will update the screen shot later

@namusyaka namusyaka mentioned this issue Feb 26, 2018
Closed
@DonnieWest DonnieWest mentioned this issue Mar 15, 2018
Closed
bitspill added a commit to bitspill/flojson that referenced this issue Apr 17, 2018
@bitspill
escape user/pass
0dea8cc 
Necessary since Go 1.9.3
golang/go#23392
@bitspill bitspill mentioned this issue Apr 17, 2018
Merged
@dougm dougm mentioned this issue May 1, 2018
Closed
@jrasell jrasell mentioned this issue May 2, 2018
Closed
@bruth bruth mentioned this issue May 23, 2018
Closed
@HeatfanJohn HeatfanJohn mentioned this issue Jul 9, 2018
Closed
@russjones russjones mentioned this issue Nov 16, 2018
Closed
@golang golang locked and limited conversation to collaborators Feb 9, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
CherryPickApproved Used during the release process for point releases FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done. Security
Projects
None yet
Milestone
Go1.9.3
Development

No branches or pull requests
6 participants
@bradfitz @adamdecaf @andybons @ernsheong @AlphaWong @gopherbot