net/url: omit URL's password when stringifying URL in Error #24572
Comments
|
cc @bradfitz |
It's really not that common, and it's been dying out for years, but this proposal sounds fine to me. |
bradfitz
added
Proposal-Accepted
NeedsFix
bradfitz
changed the title
|
Change https://golang.org/cl/102855 mentions this issue: |
|
Hi, I am a new contributor, can I start working on this? I am thinking of modifying "urlStr" after line 521 in the block given by @ejholmes so that if it contains strings like "pass=" or "password=", then it replaces the password by "<PASSWORD>" string. For example, the above error: |
|
@adi93 It appears that someone has already sent a patch to fix this. It's linked in the message above yours. |
|
My mistake, I didn't notice that, and his approach is much better than mine too. Still, plenty of help wanted tags here. |
This was previously part of a larger PR, but that was closed. prometheus#4048 (comment) This change could include auth information in the URL. That's been fixed in upstream go, but not until Go 1.11. See: golang/go#24572 Signed-off-by: Adam Shannon <adamkshannon@gmail.com>
This was previously part of a larger PR, but that was closed. #4048 (comment) This change could include auth information in the URL. That's been fixed in upstream go, but not until Go 1.11. See: golang/go#24572 Signed-off-by: Adam Shannon <adamkshannon@gmail.com>
|
Any chance of getting a30d24f cherry picked into the next release? |
|
@stevenh, file a new bug to request backports. |
This was previously part of a larger PR, but that was closed. prometheus#4048 (comment) This change could include auth information in the URL. That's been fixed in upstream go, but not until Go 1.11. See: golang/go#24572 Signed-off-by: Adam Shannon <adamkshannon@gmail.com>
|
Stumbled upon this case not covered. |
|
As @cheynearista pointed out, the issue persists when there are URL-encoded characters in the password. See this example: https://play.golang.org/p/1MA3niQ8-sG. |
|
@cheynearista, @arthurpaimarnold, please file a new bug. This bug is closed and therefore not tracked anywhere on our dashboards or release process. You can reference this bug from your new bug. |
It's fairly common practice to pack basic auth credentials in a URL string:
When basic authentication credentials are provided in this manner,
net/httpwill automatically set the Authorization header before sending the request, however,net/httpleaves the original URL string un-modified.This has the potential to create nasty little security problems when errors occur. Consider the following program:
When ran, you'll see the following output:
It's fairly common practice in Go programs to bubble errors up the call stack. In many cases, these errors can be shown to untrusted parties if care isn't taken. Obviously, there's a lot of things that can be done to mitigate this (don't pass creds in the URL string, don't bubble up internal errors to untrusted parties, use http signatures instead of long lived creds, etc), but I think Go could provide a better secure default here. Equivalent versions in ruby and python will not display the credentials.
I'd propose that this block be changed so that, if the condition matches, the basic auth creds are stripped from the raw URL string, so that they won't end up in
url.Error's.The text was updated successfully, but these errors were encountered: