qbit/go
1
0
Fork 0
mirror of https://github.com/golang/go synced 2024-11-16 20:54:48 -07:00
Code Releases Activity

net/http: omit invalid header value from error message

Browse Source 
Invalid value may contain sensitive data.

Updates #43631
This commit is contained in:
Alexander Yastrebov 2021-10-14 19:38:31 +02:00
parent 0400d536e4
commit c359542d74
2 changed files with 10 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
src/net/http/transport.go
View File

@ -525,7 +525,8 @@ func (t *Transport) roundTrip(req *Request) (*Response, error) {
for _, v := range vv {
if !httpguts.ValidHeaderFieldValue(v) {
req.closeBody()
return nil, fmt.Errorf("net/http: invalid header field value %q for key %v", v, k)
// Don't include the value in the error, because it may be sensitive.
return nil, fmt.Errorf("net/http: invalid header field value for %q", k)
}
}
}

16
src/net/http/transport_test.go
View File

@ -6060,14 +6060,14 @@ func TestTransportClosesBodyOnInvalidRequests(t *testing.T) {
Method: " ",
URL: u,
},
wantErr: "invalid method",
wantErr: `invalid method " "`,
},
{
name: "nil URL",
req: &Request{
Method: "GET",
},
wantErr: "nil Request.URL",
wantErr: `nil Request.URL`,
},
{
name: "invalid header key",
@ -6076,7 +6076,7 @@ func TestTransportClosesBodyOnInvalidRequests(t *testing.T) {
Header: Header{"💡": {"emoji"}},
URL: u,
},
wantErr: "invalid header field name",
wantErr: `invalid header field name "💡"`,
},
{
name: "invalid header value",
@ -6085,7 +6085,7 @@ func TestTransportClosesBodyOnInvalidRequests(t *testing.T) {
Header: Header{"key": {"\x19"}},
URL: u,
},
wantErr: "invalid header field value",
wantErr: `invalid header field value for "key"`,
},
{
name: "non HTTP(s) scheme",
@ -6093,7 +6093,7 @@ func TestTransportClosesBodyOnInvalidRequests(t *testing.T) {
Method: "POST",
URL: &url.URL{Scheme: "faux"},
},
wantErr: "unsupported protocol scheme",
wantErr: `unsupported protocol scheme "faux"`,
},
{
name: "no Host in URL",
@ -6101,7 +6101,7 @@ func TestTransportClosesBodyOnInvalidRequests(t *testing.T) {
Method: "POST",
URL: &url.URL{Scheme: "http"},
},
wantErr: "no Host",
wantErr: `no Host in request URL`,
},
}
@ -6117,8 +6117,8 @@ func TestTransportClosesBodyOnInvalidRequests(t *testing.T) {
if !bc {
t.Fatal("Expected body to have been closed")
}
if g, w := err.Error(), tt.wantErr; !strings.Contains(g, w) {
t.Fatalf("Error mismatch\n\t%q\ndoes not contain\n\t%q", g, w)
if g, w := err.Error(), tt.wantErr; !strings.HasSuffix(g, w) {
t.Fatalf("Error mismatch: %q does not end with %q", g, w)
}
})
}