[go] net/url: allow IP-literals with IPv4-mapped IPv6 addresses
2 views
Skip to first unread message
Roland Shoemaker (Gerrit)
Oct 8, 2025, 8:19:22 PM (7 days ago) Oct 8
to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com
Roland Shoemaker has uploaded the change for review![]( "Open in Gerrit")
Commit message
net/url: allow IP-literals with IPv4-mapped IPv6 addresses
The security fix we applied in CL709857 was overly broad. It applied
rules from RFC 2732, which disallowed IPv4-mapped IPv6 addresses, but
these were later allowed in RFC 3986, which is the canonical URI syntax
RFC.
Revert the portion of CL709857 which restricted IPv4-mapped addresses,
and update the related tests.
Fixes #75815
Change-Id: I3192f2275ad5c386f5c15006a6716bdb5282919d
Change diff
diff --git a/src/net/url/url.go b/src/net/url/url.go
index 292bc6b..6afa30f 100644
--- a/src/net/url/url.go
+++ b/src/net/url/url.go
@@ -689,13 +689,13 @@
// Per RFC 3986, only a host identified by a valid
// IPv6 address can be enclosed by square brackets.
- // This excludes any IPv4 or IPv4-mapped addresses.
+ // This excludes any IPv4, but notably not IPv4-mapped addresses.
addr, err := netip.ParseAddr(unescapedHostname)
if err != nil {
return "", fmt.Errorf("invalid host: %w", err)
}
- if addr.Is4() || addr.Is4In6() {
- return "", errors.New("invalid IPv6 host")
+ if addr.Is4() {
+ return "", errors.New("invalid IP-literal")
}
return "[" + unescapedHostname + "]" + unescapedColonPort, nil
} else if i := strings.LastIndex(host, ":"); i != -1 {
diff --git a/src/net/url/url_test.go b/src/net/url/url_test.go
index 3206558..6084fac 100644
--- a/src/net/url/url_test.go
+++ b/src/net/url/url_test.go
@@ -726,7 +726,7 @@
{"https://[2001:db8::1]/path", true}, // compressed IPv6 address with path
{"https://[fe80::1%25eth0]/path?query=1", true}, // link-local with zone, path, and query
- {"https://[::ffff:192.0.2.1]", false},
+ {"https://[::ffff:192.0.2.1]", true},
{"https://[:1] ", false},
{"https://[1:2:3:4:5:6:7:8:9]", false},
{"https://[1::1::1]", false},
@@ -1672,16 +1672,17 @@
{"cache_object:foo/bar", true},
{"cache_object/:foo/bar", false},
- {"http://[192.168.0.1]/", true}, // IPv4 in brackets
- {"http://[192.168.0.1]:8080/", true}, // IPv4 in brackets with port
- {"http://[::ffff:192.168.0.1]/", true}, // IPv4-mapped IPv6 in brackets
- {"http://[::ffff:192.168.0.1]:8080/", true}, // IPv4-mapped IPv6 in brackets with port
- {"http://[::ffff:c0a8:1]/", true}, // IPv4-mapped IPv6 in brackets (hex)
- {"http://[not-an-ip]/", true}, // invalid IP string in brackets
- {"http://[fe80::1%foo]/", true}, // invalid zone format in brackets
- {"http://[fe80::1", true}, // missing closing bracket
- {"http://fe80::1]/", true}, // missing opening bracket
- {"http://[test.com]/", true}, // domain name in brackets
+ {"http://[192.168.0.1]/", true}, // IPv4 in brackets
+ {"http://[192.168.0.1]:8080/", true}, // IPv4 in brackets with port
+ {"http://[::ffff:192.168.0.1]/", false}, // IPv4-mapped IPv6 in brackets
+ {"http://[::ffff:192.168.0.1000]/", true}, // Out of range IPv4-mapped IPv6 in brackets
+ {"http://[::ffff:192.168.0.1]:8080/", false}, // IPv4-mapped IPv6 in brackets with port
+ {"http://[::ffff:c0a8:1]/", false}, // IPv4-mapped IPv6 in brackets (hex)
+ {"http://[not-an-ip]/", true}, // invalid IP string in brackets
+ {"http://[fe80::1%foo]/", true}, // invalid zone format in brackets
+ {"http://[fe80::1", true}, // missing closing bracket
+ {"http://fe80::1]/", true}, // missing opening bracket
+ {"http://[test.com]/", true}, // domain name in brackets
}
for _, tt := range tests {
u, err := Parse(tt.in)
Change information
Files:
- M src/net/url/url.go
- M src/net/url/url_test.go
Change size: S
Delta: 2 files changed, 15 insertions(+), 14 deletions(-)
Related details
Attention set is empty
Submit Requirements:
Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Roland Shoemaker (Gerrit)
Oct 8, 2025, 8:19:38 PM (7 days ago) Oct 8
to goph...@pubsubhelper.golang.org, Damien Neil, Ethan Lee, golang-co...@googlegroups.com
Attention needed from Damien Neil and Ethan Lee
Roland Shoemaker voted![]( "Open in Gerrit")
| Auto-Submit | +1 |
| Commit-Queue | +1 |
Related details
Attention is currently required from:
- Damien Neil
- Ethan Lee
Submit Requirements:
Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Ethan Lee (Gerrit)
Oct 9, 2025, 12:12:44 PM (6 days ago) Oct 9
to Roland Shoemaker, goph...@pubsubhelper.golang.org, Go LUCI, Damien Neil, golang-co...@googlegroups.com
Attention needed from Damien Neil and Roland Shoemaker
Ethan Lee voted Code-Review+2![]( "Open in Gerrit")
Attention is currently required from:
- Damien Neil
- Roland Shoemaker
Submit Requirements:
Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Gopher Robot (Gerrit)
Oct 9, 2025, 12:13:34 PM (6 days ago) Oct 9
to Roland Shoemaker, goph...@pubsubhelper.golang.org, golang-...@googlegroups.com, Ethan Lee, Go LUCI, Damien Neil, golang-co...@googlegroups.com
Gopher Robot submitted the change![]( "Open in Gerrit")
Change information
Commit message:
net/url: allow IP-literals with IPv4-mapped IPv6 addresses
The security fix we applied in CL709857 was overly broad. It applied
rules from RFC 2732, which disallowed IPv4-mapped IPv6 addresses, but
these were later allowed in RFC 3986, which is the canonical URI syntax
RFC.
Revert the portion of CL709857 which restricted IPv4-mapped addresses,
and update the related tests.
Fixes #75815
Change-Id: I3192f2275ad5c386f5c15006a6716bdb5282919d
Reviewed-on: https://go-review.googlesource.com/c/go/+/710375
LUCI-TryBot-Result: Go LUCI <golang...@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Ethan Lee <etha...@google.com>
Auto-Submit: Roland Shoemaker <rol...@golang.org>
Files:
- M src/net/url/url.go
- M src/net/url/url_test.go
Change size: S
Delta: 2 files changed, 15 insertions(+), 14 deletions(-)
Branch: refs/heads/master
Submit Requirements:
Code-Review: +2 by Ethan Lee
TryBots-Pass: LUCI-TryBot-Result+1 by Go LUCI
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Roland Shoemaker (Gerrit)
5:03 PM (7 hours ago) 5:03 PM
to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com
Roland Shoemaker has uploaded the change for review![]( "Open in Gerrit")
Commit message
[release-branch.go1.25] net/url: allow IP-literals with IPv4-mapped IPv6 addresses
The security fix we applied in CL709857 was overly broad. It applied
rules from RFC 2732, which disallowed IPv4-mapped IPv6 addresses, but
these were later allowed in RFC 3986, which is the canonical URI syntax
RFC.
Revert the portion of CL709857 which restricted IPv4-mapped addresses,
and update the related tests.
Updates #75815
Fixes #75832
Change-Id: I3192f2275ad5c386f5c15006a6716bdb5282919d
Reviewed-on: https://go-review.googlesource.com/c/go/+/710375
LUCI-TryBot-Result: Go LUCI <golang...@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Ethan Lee <etha...@google.com>
Auto-Submit: Roland Shoemaker <rol...@golang.org>
(cherry picked from commit 9db7e30bb42eed9912f5e7e9e3959f3b38879d5b)
Change diff
diff --git a/src/net/url/url.go b/src/net/url/url.go
index 40faa7c..1c50e06 100644
--- a/src/net/url/url.go
+++ b/src/net/url/url.go
@@ -673,13 +673,13 @@
Change information
Files:
- M src/net/url/url.go
- M src/net/url/url_test.go
Change size: S
Delta: 2 files changed, 15 insertions(+), 14 deletions(-)
Related details
Attention set is empty
Submit Requirements:
Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Roland Shoemaker (Gerrit)
5:03 PM (7 hours ago) 5:03 PM
to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com
Roland Shoemaker has uploaded the change for review![]( "Open in Gerrit")
Commit message
[release-branch.go1.24] net/url: allow IP-literals with IPv4-mapped IPv6 addresses
The security fix we applied in CL709857 was overly broad. It applied
rules from RFC 2732, which disallowed IPv4-mapped IPv6 addresses, but
these were later allowed in RFC 3986, which is the canonical URI syntax
RFC.
Revert the portion of CL709857 which restricted IPv4-mapped addresses,
and update the related tests.
Updates #75815
Fixes #75831
Change-Id: I3192f2275ad5c386f5c15006a6716bdb5282919d
Reviewed-on: https://go-review.googlesource.com/c/go/+/710375
LUCI-TryBot-Result: Go LUCI <golang...@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Ethan Lee <etha...@google.com>
Auto-Submit: Roland Shoemaker <rol...@golang.org>
(cherry picked from commit 9db7e30bb42eed9912f5e7e9e3959f3b38879d5b)
Change diff
diff --git a/src/net/url/url.go b/src/net/url/url.go
index c686239..1d9c1cd 100644
--- a/src/net/url/url.go
+++ b/src/net/url/url.go
@@ -670,13 +670,13 @@
Roland Shoemaker (Gerrit)
5:03 PM (7 hours ago) 5:03 PM
to goph...@pubsubhelper.golang.org, Carlos Amedee, golang-co...@googlegroups.com
Attention needed from Carlos Amedee
Roland Shoemaker voted Commit-Queue+1![]( "Open in Gerrit")
Submit Requirements:
Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Roland Shoemaker (Gerrit)
5:04 PM (7 hours ago) 5:04 PM
to goph...@pubsubhelper.golang.org, Carlos Amedee, golang-co...@googlegroups.com
Attention needed from Carlos Amedee
Roland Shoemaker voted Commit-Queue+1![]( "Open in Gerrit")
| Commit-Queue | +1 |
Related details
Attention is currently required from:
- Carlos Amedee
Submit Requirements:
Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Reply all
Reply to author
Forward
0 new messages