http: obscure passwords in return value of URL.String

author Scott Lawrence <bytbox@gmail.com>

Thu, 26 Aug 2010 17:32:16 +0000 (13:32 -0400)

committer Russ Cox <rsc@golang.org>

Thu, 26 Aug 2010 17:32:16 +0000 (13:32 -0400)
author Scott Lawrence <bytbox@gmail.com>
Thu, 26 Aug 2010 17:32:16 +0000 (13:32 -0400)
committer Russ Cox <rsc@golang.org>
Thu, 26 Aug 2010 17:32:16 +0000 (13:32 -0400)
diff --git a/src/pkg/http/client.go b/src/pkg/http/client.go

index ee586bd6218a533b73689cf28998b8556b141693..50b6e530d9842b56efe4f20c368e45e31a0446d2 100644 (file)
--- a/src/pkg/http/client.go
+++ b/src/pkg/http/client.go
@@ -118,6 +118,7 @@ func Get(url string) (r *Response, finalURL string, err os.Error) {
                 if req.URL, err = ParseURL(url); err != nil {
                         break
                 }
+               url = req.URL.String()
                 if r, err = send(&req); err != nil {
                         break
                 }
@@ -167,6 +168,7 @@ func Head(url string) (r *Response, err os.Error) {
         if req.URL, err = ParseURL(url); err != nil {
                 return
         }
+       url = req.URL.String()
         if r, err = send(&req); err != nil {
                 return
         }
diff --git a/src/pkg/http/url.go b/src/pkg/http/url.go

index 12247ca17b801faef33df6218f704be7453d3ee1..136e6dfe4ba0e3aeaa381e9302890480818f1a83 100644 (file)
--- a/src/pkg/http/url.go
+++ b/src/pkg/http/url.go
@@ -389,7 +389,12 @@ func (url *URL) String() string {
         if url.Host != "" || url.Userinfo != "" {
                 result += "//"
                 if url.Userinfo != "" {
-                       result += urlEscape(url.Userinfo, false) + "@"
+                       // hide the password, if any
+                       info := url.Userinfo
+                       if i := strings.Index(info, ":"); i >= 0 {
+                               info = info[0:i] + ":******"
+                       }
+                       result += urlEscape(info, false) + "@"
                 }
                 result += url.Host
         }
diff --git a/src/pkg/http/url_test.go b/src/pkg/http/url_test.go

index 097669b9c2ae64546edeeee1befc6108950a23ab..5ab512c4fd55f47c46f4575ca36e3c07bd105647 100644 (file)
--- a/src/pkg/http/url_test.go
+++ b/src/pkg/http/url_test.go
@@ -185,6 +185,28 @@ var urltests = []URLTest{
                 },
                 "",
         },
+       URLTest{
+               "http://user:password@google.com",
+               &URL{
+                       Raw:       "http://user:password@google.com",
+                       Scheme:    "http",
+                       Authority: "user:password@google.com",
+                       Userinfo:  "user:password",
+                       Host:      "google.com",
+               },
+               "http://user:******@google.com",
+       },
+       URLTest{
+               "http://user:longerpass@google.com",
+               &URL{
+                       Raw:       "http://user:longerpass@google.com",
+                       Scheme:    "http",
+                       Authority: "user:longerpass@google.com",
+                       Userinfo:  "user:longerpass",
+                       Host:      "google.com",
+               },
+               "http://user:******@google.com",
+       },
  }
  
  var urlnofragtests = []URLTest{
author	Scott Lawrence <bytbox@gmail.com>
	Thu, 26 Aug 2010 17:32:16 +0000 (13:32 -0400)
committer	Russ Cox <rsc@golang.org>
	Thu, 26 Aug 2010 17:32:16 +0000 (13:32 -0400)
src/pkg/http/client.go		patch \| blob \| history
src/pkg/http/url.go		patch \| blob \| history
src/pkg/http/url_test.go		patch \| blob \| history