net/url: invalid percent encodings rejected by go1.19 are now accepted #56884
Labels
FrozenDueToAge
NeedsInvestigation
Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
release-blocker
Milestone
What version of Go are you using (
go version
)?Does this issue reproduce with the latest release?
No, this behavior is new in
master
What operating system and processor architecture are you using (
go env
)?go env
OutputWhat did you do?
Use url.Parse to check for invalid %-encoding sequences.
What did you expect to see?
An error, matching existing go releases.
What did you see instead?
No error.
Details
This change is due to #56732 / https://go-review.googlesource.com/c/go/+/450375, which intentionally relaxes validation requirements for percent-decoding of URLs.
This means that systems using
url.Parse()
to ensure URLs are well-formed now accept malformed %-encoding sequences. This is already showing up as unit test failures in other projects testing against the golang dev branch, e.g. kubernetes/kubernetes#113948, and required relaxing existing go unit tests in https://go-review.googlesource.com/c/go/+/450375 to accept previously rejected data.Hoisting my question from #56732 (comment):
If the implications of relaxing this are considered, and go1.20 decides to proceed relaxing this parsing to accept URIs as valid which go1.19 rejected as invalid, my follow-up questions are about how to roll out this change in a controlled way:
cc @dgryski @ianlancetaylor as authors of the prompting issue and CL
cc @aojea @dims for implications on cross-version Kubernetes compatibility
cc @rsc for intersection with runtime compatibility behavior discussed in #55090
The text was updated successfully, but these errors were encountered: