src/net/http/client.go | 6 ++++++ src/net/http/client_test.go | 1 + src/net/http/cookiejar/jar.go | 7 +++++++ src/net/http/cookiejar/jar_test.go | 10 ++++++++++ diff --git a/src/net/http/client.go b/src/net/http/client.go index ee6de24fc19e4fbe8003a3def4fdcc426acd0ae4..8fc348fe5d36e65404ac2ec873baa11d786b63b7 100644 --- a/src/net/http/client.go +++ b/src/net/http/client.go @@ -1014,6 +1014,12 @@ func isDomainOrSubdomain(sub, parent string) bool { if sub == parent { return true } + // If sub contains a :, it's probably an IPv6 address (and is definitely not a hostname). + // Don't check the suffix in this case, to avoid matching the contents of a IPv6 zone. + // For example, "::1%.www.example.com" is not a subdomain of "www.example.com". + if strings.ContainsAny(sub, ":%") { + return false + } // If sub is "foo.example.com" and parent is "example.com", // that means sub must end in "."+parent. // Do it without allocating. diff --git a/src/net/http/client_test.go b/src/net/http/client_test.go index 7459b9cb6ed1df3a42d4ed54a54abc8748b3dffd..e2a1cbbdea10daae766576ba2492d9a35a6590ac 100644 --- a/src/net/http/client_test.go +++ b/src/net/http/client_test.go @@ -1711,6 +1711,7 @@ {"authorization", "http://foo.com/", "http://bar.com/", false}, {"authorization", "http://foo.com/", "https://foo.com/", true}, {"authorization", "http://foo.com:1234/", "http://foo.com:4321/", true}, {"www-authenticate", "http://foo.com/", "http://bar.com/", false}, + {"authorization", "http://foo.com/", "http://[::1%25.foo.com]/", false}, // But subdomains should work: {"www-authenticate", "http://foo.com/", "http://foo.com/", true}, diff --git a/src/net/http/cookiejar/jar.go b/src/net/http/cookiejar/jar.go index 59cde82cb380e30236698079763b37838c1ae96f..e7f5ddd4d0096b9d036d6b7f4258d5695d9d9761 100644 --- a/src/net/http/cookiejar/jar.go +++ b/src/net/http/cookiejar/jar.go @@ -362,6 +362,13 @@ } // isIP reports whether host is an IP address. func isIP(host string) bool { + if strings.ContainsAny(host, ":%") { + // Probable IPv6 address. + // Hostnames can't contain : or %, so this is definitely not a valid host. + // Treating it as an IP is the more conservative option, and avoids the risk + // of interpeting ::1%.www.example.com as a subtomain of www.example.com. + return true + } return net.ParseIP(host) != nil } diff --git a/src/net/http/cookiejar/jar_test.go b/src/net/http/cookiejar/jar_test.go index 56d0695a660c07415a6f7cdd68993428719e06ae..251f7c16171c3acc40be12a962eb7a48529699f8 100644 --- a/src/net/http/cookiejar/jar_test.go +++ b/src/net/http/cookiejar/jar_test.go @@ -252,6 +252,7 @@ var isIPTests = map[string]bool{ "127.0.0.1": true, "1.2.3.4": true, "2001:4860:0:2001::68": true, + "::1%zone": true, "example.com": false, "1.1.1.300": false, "www.foo.bar.net": false, @@ -627,6 +628,15 @@ []query{ {"http://www.host.test", "a=1"}, {"http://www.host.test:8080/", "a=1"}, {"http://www.host.test:1234/", "a=1"}, + }, + }, + { + "IPv6 zone is not treated as a host.", + "https://example.com/", + []string{"a=1"}, + "a=1", + []query{ + {"https://[::1%25.example.com]:80/", ""}, }, }, }