net/http: strip escaped password from error

Using password that returns from User.Password() won't work in this case because password in Userinfo already unescaped. The solution is uses User.String() to escape password back again and then stringify it to error. Fixes #31808 Change-Id: I723aafd5a57a5b69f2dd7d3a21b82ebbd4174451 Reviewed-on: https://go-review.googlesource.com/c/go/+/175018Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>

net/http: strip escaped password from error
Using password that returns from User.Password() won't work in this case because password in Userinfo already unescaped. The solution is uses User.String() to escape password back again and then stringify it to error. Fixes #31808 Change-Id: I723aafd5a57a5b69f2dd7d3a21b82ebbd4174451 Reviewed-on: https://go-review.googlesource.com/c/go/+/175018Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>
2c67cdf7 · Thanabodee Charoenpiriyakij · Brad Fitzpatrick · f5c43b91 · 2c67cdf7 · 2c67cdf7
Commit 2c67cdf7 authored May 03, 2019 by Thanabodee Charoenpiriyakij Committed by Brad Fitzpatrick May 03, 2019
Hide whitespace changes
Inline Side-by-side

Showing with 7 additions and 3 deletions

src/net/http/client.go src/net/http/client.go +2 -3

src/net/http/client_test.go src/net/http/client_test.go +5 -0

No files found.
--- a/src/net/http/client.go
+++ b/src/net/http/client.go
@@ -926,10 +926,9 @@ func isDomainOrSubdomain(sub, parent string) bool {
 }
 func stripPassword(u *url.URL) string {
-	pass, passSet := u.User.Password()
+	_, passSet := u.User.Password()
 	if passSet {
-		return strings.Replace(u.String(), pass+"@", "***@", 1)
+		return strings.Replace(u.String(), u.User.String()+"@", u.User.Username()+":***@", 1)
 	}
 	return u.String()
 }
--- a/src/net/http/client_test.go
+++ b/src/net/http/client_test.go
@@ -1184,6 +1184,11 @@ func TestStripPasswordFromError(t *testing.T) {
 			in:   "http://user:password@dummy.faketld/password",
 			out:  "Get http://user:***@dummy.faketld/password: dummy impl",
 		},
+		{
+			desc: "Strip escaped password",
+			in:   "http://user:pa%2Fssword@dummy.faketld/",
+			out:  "Get http://user:***@dummy.faketld/: dummy impl",
+		},
 	}
 	for _, tC := range testCases {
 		t.Run(tC.desc, func(t *testing.T) {