net/http: request returns non-idiomatic error messages that may leak sensitive info #47442
Labels
NeedsInvestigation
Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
What version of Go are you using (
go version
)?Does this issue reproduce with the latest release?
Yes.
What operating system and processor architecture are you using (
go env
)?go env
OutputWhat did you do?
Got a context deadline timeout from an HTTP PATCH request.
What did you expect to see?
An idiomatic error return.
What did you see instead?
i.e. returned error has "patch" capitalized.
Error also includes the entire URL, even for a POST/PUT/PATCH which may involve a sensitive URL.
Comments
The HTTP verb formatting is from
net/http/client.go
inurlErrorOp
. I'd suggest that it should either make the verb all caps (like in the actual protocol and thehttp.MethodFoo
constants), or leave it lower case.I'd argue that it's the responsibility of the code calling
request.Do
to log the entire URL if appropriate. Having to perform a text search-and-replace on error strings to sanitize them before reporting them is undesirable.Sample code
The text was updated successfully, but these errors were encountered: