Commit ad5d91c1 authored by Kale Blankenship's avatar Kale Blankenship Committed by Brad Fitzpatrick

net/url: prefix relative paths containing ":" in the first segment with "./"

This change modifies URL.String to prepend "./" to a relative URL which
contains a colon in the first path segment.

Per RFC 3986 §4.2:

> A path segment that contains a colon character (e.g., "this:that")
> cannot be used as the first segment of a relative-path reference, as
> it would be mistaken for a scheme name.  Such a segment must be
> preceded by a dot-segment (e.g., "./this:that") to make a relative-
> path reference.

https://go-review.googlesource.com/27440 corrects the behavior for http.FileServer,
but URL.String will still return an invalid URL. This CL reverts the changes to
http.FileServer as they are unnecessary with this fix.

Fixes #17184

Change-Id: I9211ae20f82c91b785d1b079b2cd766487d94225
Reviewed-on: https://go-review.googlesource.com/29610Reviewed-by: default avatarBrad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
parent cddddbc6
......@@ -90,7 +90,7 @@ func dirList(w ResponseWriter, f File) {
// part of the URL path, and not indicate the start of a query
// string or fragment.
url := url.URL{Path: name}
fmt.Fprintf(w, "<a href=\"./%s\">%s</a>\n", url.String(), htmlReplacer.Replace(name))
fmt.Fprintf(w, "<a href=\"%s\">%s</a>\n", url.String(), htmlReplacer.Replace(name))
}
fmt.Fprintf(w, "</pre>\n")
}
......
......@@ -270,10 +270,11 @@ func TestFileServerEscapesNames(t *testing.T) {
tests := []struct {
name, escaped string
}{
{`simple_name`, `<a href="./simple_name">simple_name</a>`},
{`"'<>&`, `<a href="./%22%27%3C%3E&">&#34;&#39;&lt;&gt;&amp;</a>`},
{`?foo=bar#baz`, `<a href="./%3Ffoo=bar%23baz">?foo=bar#baz</a>`},
{`<combo>?foo`, `<a href="./%3Ccombo%3E%3Ffoo">&lt;combo&gt;?foo</a>`},
{`simple_name`, `<a href="simple_name">simple_name</a>`},
{`"'<>&`, `<a href="%22%27%3C%3E&">&#34;&#39;&lt;&gt;&amp;</a>`},
{`?foo=bar#baz`, `<a href="%3Ffoo=bar%23baz">?foo=bar#baz</a>`},
{`<combo>?foo`, `<a href="%3Ccombo%3E%3Ffoo">&lt;combo&gt;?foo</a>`},
{`foo:bar`, `<a href="./foo:bar">foo:bar</a>`},
}
// We put each test file in its own directory in the fakeFS so we can look at it in isolation.
......@@ -349,7 +350,7 @@ func TestFileServerSortsNames(t *testing.T) {
t.Fatalf("read Body: %v", err)
}
s := string(b)
if !strings.Contains(s, "<a href=\"./a\">a</a>\n<a href=\"./b\">b</a>") {
if !strings.Contains(s, "<a href=\"a\">a</a>\n<a href=\"b\">b</a>") {
t.Errorf("output appears to be unsorted:\n%s", s)
}
}
......
......@@ -713,6 +713,17 @@ func (u *URL) String() string {
if path != "" && path[0] != '/' && u.Host != "" {
buf.WriteByte('/')
}
if buf.Len() == 0 {
// RFC 3986 §4.2
// A path segment that contains a colon character (e.g., "this:that")
// cannot be used as the first segment of a relative-path reference, as
// it would be mistaken for a scheme name. Such a segment must be
// preceded by a dot-segment (e.g., "./this:that") to make a relative-
// path reference.
if i := strings.IndexByte(path, ':'); i > -1 && strings.IndexByte(path[:i], '/') == -1 {
buf.WriteString("./")
}
}
buf.WriteString(path)
}
if u.ForceQuery || u.RawQuery != "" {
......
......@@ -676,6 +676,44 @@ func TestParseRequestURI(t *testing.T) {
}
}
var stringURLTests = []struct {
url URL
want string
}{
// No leading slash on path should prepend slash on String() call
{
url: URL{
Scheme: "http",
Host: "www.google.com",
Path: "search",
},
want: "http://www.google.com/search",
},
// Relative path with first element containing ":" should be prepended with "./", golang.org/issue/17184
{
url: URL{
Path: "this:that",
},
want: "./this:that",
},
// Relative path with second element containing ":" should not be prepended with "./"
{
url: URL{
Path: "here/this:that",
},
want: "here/this:that",
},
// Non-relative path with first element containing ":" should not be prepended with "./"
{
url: URL{
Scheme: "http",
Host: "www.google.com",
Path: "this:that",
},
want: "http://www.google.com/this:that",
},
}
func TestURLString(t *testing.T) {
for _, tt := range urltests {
u, err := Parse(tt.in)
......@@ -693,15 +731,10 @@ func TestURLString(t *testing.T) {
}
}
// No leading slash on path should prepend
// slash on String() call
noslash := URL{
Scheme: "http",
Host: "www.google.com",
Path: "search",
}
if got, want := noslash.String(), "http://www.google.com/search"; got != want {
t.Errorf("No slash\ngot %q\nwant %q", got, want)
for _, tt := range stringURLTests {
if got := tt.url.String(); got != tt.want {
t.Errorf("%+v.String() = %q; want %q", tt.url, got, tt.want)
}
}
}
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment