[go] net/textproto: escape arbitrary input when including them in errors

0 views
Skip to first unread message

Nicholas Husin (Gerrit)

unread,
May 15, 2026, 12:33:22 PM (17 hours ago) May 15
to goph...@pubsubhelper.golang.org, golang-...@googlegroups.com, Damien Neil, Nicholas Husin, Roland Shoemaker, golang...@luci-project-accounts.iam.gserviceaccount.com, golang-co...@googlegroups.com

Nicholas Husin submitted the change

Change information

Commit message:
net/textproto: escape arbitrary input when including them in errors

When returning errors, functions in the net/textproto package would
include its input as part of the error, without any escaping. Note that
said input is often controlled by external parties when using this
package naturally. For example, a net/http client uses ReadMIMEHeader
when parsing the headers it receive from a server.

As a result, an attacker could inject arbitrary content into the error.
Practically, this can result in an attacker injecting misleading
content, terminal control bytes, etc. into a victim's output or logs.

Fix this issue by making sure that ProtocolError usages within the
package are properly escaped, and that Error.String will escape its Msg.

Fixes #79346
Fixes CVE-2026-42507
Change-Id: Ide4c1005d8254f90d95d7a389b8ca3a26a6a6964
Reviewed-by: Roland Shoemaker <rol...@golang.org>
Reviewed-by: Nicholas Husin <hu...@google.com>
Reviewed-by: Damien Neil <dn...@google.com>
Files:
  • M src/net/smtp/smtp_test.go
  • M src/net/textproto/reader.go
  • M src/net/textproto/reader_test.go
  • M src/net/textproto/textproto.go
Change size: S
Delta: 4 files changed, 15 insertions(+), 13 deletions(-)
Branch: refs/heads/master
Submit Requirements:
Open in Gerrit
Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
Gerrit-MessageType: merged
Gerrit-Project: go
Gerrit-Branch: master
Gerrit-Change-Id: Ide4c1005d8254f90d95d7a389b8ca3a26a6a6964
Gerrit-Change-Number: 777060
Gerrit-PatchSet: 5
Gerrit-Owner: Nicholas Husin <n...@golang.org>
Gerrit-Reviewer: Damien Neil <dn...@google.com>
Gerrit-Reviewer: Nicholas Husin <hu...@google.com>
Gerrit-Reviewer: Nicholas Husin <n...@golang.org>
Gerrit-Reviewer: Roland Shoemaker <rol...@golang.org>
open
diffy
satisfied_requirement
Reply all
Reply to author
Forward
0 new messages