net/http: fix ProxyFromEnvironment panic on invalid $NO_PROXY value

Given an entry in $no_proxy like ":1" we would interpret it as an empty
host name and a port number, then check the first character of the host
name for dots. This would then cause an index out of range panic. This
change simply skips these entries, as the following checks would anyway
have returned false.

Fixes #19536

Change-Id: Iafe9c7a77ad4a6278c8ccb00a1575b56e4bdcd79
Reviewed-on: https://go-review.googlesource.com/38067
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>

diff --git a/src/net/http/proxy_test.go b/src/net/http/proxy_test.go
index 8d3a78b9621b53f1ce85498c15718027926263a7..f59a551f0acf4befa9b8eab936392d8e5da49ba1 100644 (file)
--- a/src/net/http/proxy_test.go
+++ b/src/net/http/proxy_test.go
@@ -79,3 +79,9 @@ func ResetProxyEnv() {
        }
        ResetCachedEnvironment()
 }
+
+func TestInvalidNoProxy(t *testing.T) {
+       ResetProxyEnv()
+       os.Setenv("NO_PROXY", ":1")
+       useProxy("example.com:80") // should not panic
+}

diff --git a/src/net/http/transport.go b/src/net/http/transport.go
index 0d4f427a57e860e28370bb7ff2a54a1050b373b3..5be7488d6d96affc916d654cc2ffd5f28c160e55 100644 (file)
--- a/src/net/http/transport.go
+++ b/src/net/http/transport.go
@@ -1227,6 +1227,10 @@ func useProxy(addr string) bool {
                if addr == p {
                        return false
                }
+               if len(p) == 0 {
+                       // There is no host part, likely the entry is malformed; ignore.
+                       continue
+               }
                if p[0] == '.' && (strings.HasSuffix(addr, p) || addr == p[1:]) {
                        // no_proxy ".foo.com" matches "bar.foo.com" or "foo.com"
                        return false