-
Notifications
You must be signed in to change notification settings - Fork 17.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
net/http: client should not include raw header values in error messages #43631
Labels
NeedsInvestigation
Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
Comments
ianlancetaylor
changed the title
HTTP client should not include raw header values in error messages
net/http: client should not include raw header values in error messages
Jan 11, 2021
ianlancetaylor
added
the
NeedsInvestigation
Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
label
Jan 11, 2021
Change https://golang.org/cl/355929 mentions this issue: |
AlexanderYastrebov
added a commit
to AlexanderYastrebov/net
that referenced
this issue
Oct 14, 2021
Change https://golang.org/cl/355930 mentions this issue: |
AlexanderYastrebov
added a commit
to AlexanderYastrebov/go
that referenced
this issue
Oct 14, 2021
AlexanderYastrebov
added a commit
to AlexanderYastrebov/net
that referenced
this issue
Oct 14, 2021
AlexanderYastrebov
added a commit
to AlexanderYastrebov/go
that referenced
this issue
Oct 14, 2021
Invalid value may contain sensitive data. Updates golang#43631
AlexanderYastrebov
added a commit
to AlexanderYastrebov/net
that referenced
this issue
Oct 15, 2021
gopherbot
pushed a commit
to golang/net
that referenced
this issue
Apr 3, 2022
Updates golang/go#43631 Change-Id: Iaacc875fecbdb76f4099d3eb3d67f7ec9d40c224 GitHub-Last-Rev: 3e22a9e GitHub-Pull-Request: #115 Reviewed-on: https://go-review.googlesource.com/c/net/+/355930 Trust: Damien Neil <[email protected]> Run-TryBot: Damien Neil <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Damien Neil <[email protected]> Trust: Cherry Mui <[email protected]>
dteh
pushed a commit
to dteh/fhttp
that referenced
this issue
Jun 22, 2022
Updates golang/go#43631 Change-Id: Iaacc875fecbdb76f4099d3eb3d67f7ec9d40c224 GitHub-Last-Rev: 3e22a9ea2f4e4f24ccfdeeb47b57f055f0639c83 GitHub-Pull-Request: golang/net#115 Reviewed-on: https://go-review.googlesource.com/c/net/+/355930 Trust: Damien Neil <[email protected]> Run-TryBot: Damien Neil <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Damien Neil <[email protected]> Trust: Cherry Mui <[email protected]>
gopherbot
pushed a commit
that referenced
this issue
Jul 1, 2022
Updates #43631 Change-Id: I0fe3aafdf7ef889fed1a830128721393f8d020e6 GitHub-Last-Rev: c359542 GitHub-Pull-Request: #48979 Reviewed-on: https://go-review.googlesource.com/c/go/+/355929 Reviewed-by: Dmitri Shuralyov <[email protected]> Run-TryBot: Cherry Mui <[email protected]> Reviewed-by: Damien Neil <[email protected]> Reviewed-by: David Chase <[email protected]> TryBot-Result: Gopher Robot <[email protected]>
jproberts
pushed a commit
to jproberts/go
that referenced
this issue
Aug 10, 2022
Updates golang#43631 Change-Id: I0fe3aafdf7ef889fed1a830128721393f8d020e6 GitHub-Last-Rev: c359542 GitHub-Pull-Request: golang#48979 Reviewed-on: https://go-review.googlesource.com/c/go/+/355929 Reviewed-by: Dmitri Shuralyov <[email protected]> Run-TryBot: Cherry Mui <[email protected]> Reviewed-by: Damien Neil <[email protected]> Reviewed-by: David Chase <[email protected]> TryBot-Result: Gopher Robot <[email protected]>
WeiminShang
pushed a commit
to WeiminShang/net
that referenced
this issue
Nov 16, 2022
Updates golang/go#43631 Change-Id: Iaacc875fecbdb76f4099d3eb3d67f7ec9d40c224 GitHub-Last-Rev: 3e22a9ea2f4e4f24ccfdeeb47b57f055f0639c83 GitHub-Pull-Request: golang/net#115 Reviewed-on: https://go-review.googlesource.com/c/net/+/355930 Trust: Damien Neil <[email protected]> Run-TryBot: Damien Neil <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Damien Neil <[email protected]> Trust: Cherry Mui <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
NeedsInvestigation
Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
What version of Go are you using (
go version
)?Does this issue reproduce with the latest release?
Yes
What operating system and processor architecture are you using (
go env
)?go env
OutputWhat did you do?
What did you expect to see?
Since a newline isn't a valid character in an HTTP header value, I would expect Go's HTTP client to return an error complaining about a bad header. And it does, but...
What did you see instead?
Get "http://worldtimeapi.org/api/timezone": net/http: invalid header field value "my-secret-key\n" for key Authorization
I think it's highly undesirable to include the full actual header value in an error message like this, since it's very common to write the message for any I/O error into the application log. In this particular example it's especially inappropriate since this is specifically the
Authorization
header, whose value is virtually guaranteed to be sensitive information, but really any header value could be sensitive.This is not a contrived example - one of our customers accidentally included a newline suffix in the API key they provided to our library, and they were very unhappy to see that the key ended up in their log because our code was logging I/O errors.
The text was updated successfully, but these errors were encountered: