net/http: sanitize User-Agent header in request writer

Apply the same transformations to the User-Agent header value that we do to other headers. Avoids header and request smuggling in Request.Write and Request.WriteProxy. RoundTrip already validates values in Request.Header, and didn't allow bad User-Agent values to make it as far as the request writer. Fixes #61824 Change-Id: I360a915c7e08d014e0532bd5af196a5b59c89395 Reviewed-on: https://go-review.googlesource.com/c/go/+/516836 Reviewed-by: Jonathan Amsterdam <jba@google.com> Run-TryBot: Damien Neil <dneil@google.com> TryBot-Result: Gopher Robot <gobot@golang.org>
2024-09-30 01:14:29 -06:00 · 2023-08-07 15:57:54 -07:00 · 2023-08-07 15:57:54 -07:00 · 2d5ce9b729
commit 2d5ce9b729
parent 6e43407931
2 changed files with 21 additions and 0 deletions
--- a/src/net/http/request.go
+++ b/src/net/http/request.go
@ -669,6 +669,8 @@ func (r *Request) write(w io.Writer, usingProxy bool, extraHeaders Header, waitF
 		userAgent = r.Header.Get("User-Agent")
 	}
 	if userAgent != "" {
+		userAgent = headerNewlineToSpace.Replace(userAgent)
+		userAgent = textproto.TrimString(userAgent)
 		_, err = fmt.Fprintf(w, "User-Agent: %s\r\n", userAgent)
 		if err != nil {
 			return err
--- a/src/net/http/request_test.go
+++ b/src/net/http/request_test.go
@ -787,6 +787,25 @@ func TestRequestBadHostHeader(t *testing.T) {
 	}
 }

+func TestRequestBadUserAgent(t *testing.T) {
+	got := []string{}
+	req, err := NewRequest("GET", "http://foo/after", nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+	req.Header.Set("User-Agent", "evil\r\nX-Evil: evil")
+	req.Write(logWrites{t, &got})
+	want := []string{
+		"GET /after HTTP/1.1\r\n",
+		"Host: foo\r\n",
+		"User-Agent: evil  X-Evil: evil\r\n",
+		"\r\n",
+	}
+	if !reflect.DeepEqual(got, want) {
+		t.Errorf("Writes = %q\n  Want = %q", got, want)
+	}
+}
+
 func TestStarRequest(t *testing.T) {
 	req, err := ReadRequest(bufio.NewReader(strings.NewReader("M-SEARCH * HTTP/1.1\r\n\r\n")))
 	if err != nil {