net/url: reject space in host; do not escape < > " in host
Host names in URLs must not use %-escaping for ASCII bytes, per RFC 3986. url.Parse has historically allowed spaces and < > " in the URL host. In Go 1.5, URL's String method started escaping those, but then Parse would rejects the escaped form. This CL is an attempt at some consistency between Parse and String as far as the accepted host characters and the encoding of host characters, so that if Parse succeeds, then Parse -> String -> Parse also succeeds. Allowing space seems like a mistake, so reject that in Parse. (Similarly, reject \t, \x01, and so on, all of which were being allowed.) Allowing < > " doesn't seem awful, so continue to do that, and go back to the Go 1.4 behavior of not escaping them in String. Fixes #11302. Change-Id: I0bf65b874cd936598f20694574364352a5abbe5f Reviewed-on: https://go-review.googlesource.com/17387Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Run-TryBot: Russ Cox <rsc@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>
Showing
Please register or sign in to comment