Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

net/http: client should not include raw header values in error messages #43631

Open
eli-darkly opened this issue Jan 11, 2021 · 3 comments
Open
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone

Comments

@eli-darkly
Copy link

eli-darkly commented Jan 11, 2021

What version of Go are you using (go version)?

$ go version
go version go1.15.6 darwin/amd64

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/Users/elibishop/Library/Caches/go-build"
GOENV="/Users/elibishop/Library/Application Support/go/env"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GOINSECURE=""
GOMODCACHE="/Users/elibishop/.gvm/pkgsets/go1.15.6/global/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="darwin"
GOPATH="/Users/elibishop/.gvm/pkgsets/go1.15.6/global"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/Users/elibishop/.gvm/gos/go1.15.6"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/Users/elibishop/.gvm/gos/go1.15.6/pkg/tool/darwin_amd64"
GCCGO="gccgo"
AR="ar"
CC="clang"
CXX="clang++"
CGO_ENABLED="1"
GOMOD="/Users/elibishop/work/test/goheaderbug/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/c8/g71crjpd18nc6jkdykcvp_ww0000gn/T/go-build182950335=/tmp/go-build -gno-record-gcc-switches -fno-common"

What did you do?

package main

import (
	"fmt"
	"net/http"
)

func main() {
	req, _ := http.NewRequest("GET", "http://worldtimeapi.org/api/timezone", nil)
	req.Header.Add("Authorization", "my-secret-key\n")
	_, err := http.DefaultClient.Do(req)
	fmt.Println(err)
}

What did you expect to see?

Since a newline isn't a valid character in an HTTP header value, I would expect Go's HTTP client to return an error complaining about a bad header. And it does, but...

What did you see instead?

Get "http://worldtimeapi.org/api/timezone": net/http: invalid header field value "my-secret-key\n" for key Authorization

I think it's highly undesirable to include the full actual header value in an error message like this, since it's very common to write the message for any I/O error into the application log. In this particular example it's especially inappropriate since this is specifically the Authorization header, whose value is virtually guaranteed to be sensitive information, but really any header value could be sensitive.

This is not a contrived example - one of our customers accidentally included a newline suffix in the API key they provided to our library, and they were very unhappy to see that the key ended up in their log because our code was logging I/O errors.

@ianlancetaylor ianlancetaylor changed the title HTTP client should not include raw header values in error messages net/http: client should not include raw header values in error messages Jan 11, 2021
@ianlancetaylor ianlancetaylor added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Jan 11, 2021
@ianlancetaylor ianlancetaylor added this to the Backlog milestone Jan 11, 2021
@ianlancetaylor
Copy link
Member

CC @neild @bradfitz

@gopherbot
Copy link
Contributor

Change https://golang.org/cl/355929 mentions this issue: net/http: omit invalid header value from error message

@gopherbot
Copy link
Contributor

Change https://golang.org/cl/355930 mentions this issue: net/http2: omit invalid header value from error message

AlexanderYastrebov added a commit to AlexanderYastrebov/go that referenced this issue Oct 14, 2021
AlexanderYastrebov added a commit to AlexanderYastrebov/net that referenced this issue Oct 14, 2021
AlexanderYastrebov added a commit to AlexanderYastrebov/go that referenced this issue Oct 14, 2021
Invalid value may contain sensitive data.

Updates golang#43631
AlexanderYastrebov added a commit to AlexanderYastrebov/net that referenced this issue Oct 15, 2021
gopherbot pushed a commit to golang/net that referenced this issue Apr 3, 2022
Updates golang/go#43631

Change-Id: Iaacc875fecbdb76f4099d3eb3d67f7ec9d40c224
GitHub-Last-Rev: 3e22a9e
GitHub-Pull-Request: #115
Reviewed-on: https://go-review.googlesource.com/c/net/+/355930
Trust: Damien Neil <[email protected]>
Run-TryBot: Damien Neil <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Damien Neil <[email protected]>
Trust: Cherry Mui <[email protected]>
dteh pushed a commit to dteh/fhttp that referenced this issue Jun 22, 2022
Updates golang/go#43631

Change-Id: Iaacc875fecbdb76f4099d3eb3d67f7ec9d40c224
GitHub-Last-Rev: 3e22a9ea2f4e4f24ccfdeeb47b57f055f0639c83
GitHub-Pull-Request: golang/net#115
Reviewed-on: https://go-review.googlesource.com/c/net/+/355930
Trust: Damien Neil <[email protected]>
Run-TryBot: Damien Neil <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Damien Neil <[email protected]>
Trust: Cherry Mui <[email protected]>
gopherbot pushed a commit that referenced this issue Jul 1, 2022
Updates #43631

Change-Id: I0fe3aafdf7ef889fed1a830128721393f8d020e6
GitHub-Last-Rev: c359542
GitHub-Pull-Request: #48979
Reviewed-on: https://go-review.googlesource.com/c/go/+/355929
Reviewed-by: Dmitri Shuralyov <[email protected]>
Run-TryBot: Cherry Mui <[email protected]>
Reviewed-by: Damien Neil <[email protected]>
Reviewed-by: David Chase <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
jproberts pushed a commit to jproberts/go that referenced this issue Aug 10, 2022
Updates golang#43631

Change-Id: I0fe3aafdf7ef889fed1a830128721393f8d020e6
GitHub-Last-Rev: c359542
GitHub-Pull-Request: golang#48979
Reviewed-on: https://go-review.googlesource.com/c/go/+/355929
Reviewed-by: Dmitri Shuralyov <[email protected]>
Run-TryBot: Cherry Mui <[email protected]>
Reviewed-by: Damien Neil <[email protected]>
Reviewed-by: David Chase <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
WeiminShang pushed a commit to WeiminShang/net that referenced this issue Nov 16, 2022
Updates golang/go#43631

Change-Id: Iaacc875fecbdb76f4099d3eb3d67f7ec9d40c224
GitHub-Last-Rev: 3e22a9ea2f4e4f24ccfdeeb47b57f055f0639c83
GitHub-Pull-Request: golang/net#115
Reviewed-on: https://go-review.googlesource.com/c/net/+/355930
Trust: Damien Neil <[email protected]>
Run-TryBot: Damien Neil <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Damien Neil <[email protected]>
Trust: Cherry Mui <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Projects
None yet
Development

No branches or pull requests

3 participants