This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author xtreak
Recipients alvinchang, brett.cannon, martin.panter, orsenthil, ragdoll.guo, vstinner, xtreak
Date 2019-03-15.06:03:18
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <>
For reference an exact report on golang repo : . This seemed to have been fixed in latest golang release 1.12 and commit . The commit introduces a check for CTL characters and throws an error for URLs something similar to Python does for headers now at bf3e1c9b80e9.

func isCTL(r rune) bool {
	return r < ' ' || 0x7f <= r && r <= 0x9f

if strings.IndexFunc(ruri, isCTL) != -1 {
	return errors.New("net/http: can't write control character in Request.URL")

So below program used to work before go 1.12 setting a key on Redis but now it throws error : 

package main

import "fmt"
import "net/http"

func main() {
	resp, err := http.Get("\r\nSET test failure12\r\n:8080/test/?test=a")

➜  go version
go version go1.12 darwin/amd64
➜  go run urllib_vulnerability.go
SET test failure12
:8080/test/?test=a: net/url: invalid control character in URL

Looking more into the commit there seemed to be a solution towards escaping characters with . The fix seemed to have broke Google's internal tests [0] and hence reverted to have the above commit where only CTL characters were checked and raises an error. I think this is a tricky bug upon reading code reviews in the golang repo that has around 2-3 reports with a fix committed to be reverted later for a more conservative fix and the issue was reopened to target go 1.13 .

Thanks a lot for the report @ragdoll.guo

Date User Action Args
2019-03-15 06:03:18xtreaksetrecipients: + xtreak, brett.cannon, orsenthil, vstinner, martin.panter, ragdoll.guo, alvinchang
2019-03-15 06:03:18xtreaksetmessageid: <>
2019-03-15 06:03:18xtreaklinkissue36276 messages
2019-03-15 06:03:18xtreakcreate