net/http: strip escaped password from error

Using password that returns from User.Password() won't work in this case
because password in Userinfo already unescaped. The solution is uses
User.String() to escape password back again and then stringify it to error.

Fixes #31808

Change-Id: I723aafd5a57a5b69f2dd7d3a21b82ebbd4174451
Reviewed-on: https://go-review.googlesource.com/c/go/+/175018
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>

diff --git a/src/net/http/client.go b/src/net/http/client.go
index 6de1b48531826d3464e71c8abf3f7fcc41475d42..65a9d51cc6b179b944b78690db2e4fb3900476d2 100644 (file)
--- a/src/net/http/client.go
+++ b/src/net/http/client.go
@@ -926,10 +926,9 @@ func isDomainOrSubdomain(sub, parent string) bool {
 }
 
 func stripPassword(u *url.URL) string {
-       pass, passSet := u.User.Password()
+       _, passSet := u.User.Password()
        if passSet {
-               return strings.Replace(u.String(), pass+"@", "***@", 1)
+               return strings.Replace(u.String(), u.User.String()+"@", u.User.Username()+":***@", 1)
        }
-
        return u.String()
 }

diff --git a/src/net/http/client_test.go b/src/net/http/client_test.go
index cb3b86d97795ed7780001c5c1181505f52578891..2f031e2f9b314cfe665da5e473fa4b73401950d2 100644 (file)
--- a/src/net/http/client_test.go
+++ b/src/net/http/client_test.go
@@ -1184,6 +1184,11 @@ func TestStripPasswordFromError(t *testing.T) {
                        in:   "http://user:password@dummy.faketld/password",
                        out:  "Get http://user:***@dummy.faketld/password: dummy impl",
                },
+               {
+                       desc: "Strip escaped password",
+                       in:   "http://user:pa%2Fssword@dummy.faketld/",
+                       out:  "Get http://user:***@dummy.faketld/: dummy impl",
+               },
        }
        for _, tC := range testCases {
                t.Run(tC.desc, func(t *testing.T) {