From e822b1e26e20ef1c76672c0b77b0fd8a97a1fe84 Mon Sep 17 00:00:00 2001
From: Alexander Yastrebov <yastrebov.alex@gmail.com>
Date: Thu, 14 Oct 2021 22:01:49 +0000
Subject: [PATCH] net/http: omit invalid header value from error message

Updates #43631

Change-Id: I0fe3aafdf7ef889fed1a830128721393f8d020e6
GitHub-Last-Rev: c359542d741b17f4e2cb0d50982bf341246233b0
GitHub-Pull-Request: golang/go#48979
Reviewed-on: https://go-review.googlesource.com/c/go/+/355929
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Run-TryBot: Cherry Mui <cherryyz@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: David Chase <drchase@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
---
 src/net/http/transport.go      |  3 ++-
 src/net/http/transport_test.go | 16 ++++++++--------
 2 files changed, 10 insertions(+), 9 deletions(-)

diff --git a/src/net/http/transport.go b/src/net/http/transport.go
index f2d538b04a..e470a6c080 100644
--- a/src/net/http/transport.go
+++ b/src/net/http/transport.go
@@ -525,7 +525,8 @@ func (t *Transport) roundTrip(req *Request) (*Response, error) {
 			for _, v := range vv {
 				if !httpguts.ValidHeaderFieldValue(v) {
 					req.closeBody()
-					return nil, fmt.Errorf("net/http: invalid header field value %q for key %v", v, k)
+					// Don't include the value in the error, because it may be sensitive.
+					return nil, fmt.Errorf("net/http: invalid header field value for %q", k)
 				}
 			}
 		}
diff --git a/src/net/http/transport_test.go b/src/net/http/transport_test.go
index 84868e2c5e..cba35db257 100644
--- a/src/net/http/transport_test.go
+++ b/src/net/http/transport_test.go
@@ -6085,14 +6085,14 @@ func TestTransportClosesBodyOnInvalidRequests(t *testing.T) {
 				Method: " ",
 				URL:    u,
 			},
-			wantErr: "invalid method",
+			wantErr: `invalid method " "`,
 		},
 		{
 			name: "nil URL",
 			req: &Request{
 				Method: "GET",
 			},
-			wantErr: "nil Request.URL",
+			wantErr: `nil Request.URL`,
 		},
 		{
 			name: "invalid header key",
@@ -6101,7 +6101,7 @@ func TestTransportClosesBodyOnInvalidRequests(t *testing.T) {
 				Header: Header{"💡": {"emoji"}},
 				URL:    u,
 			},
-			wantErr: "invalid header field name",
+			wantErr: `invalid header field name "💡"`,
 		},
 		{
 			name: "invalid header value",
@@ -6110,7 +6110,7 @@ func TestTransportClosesBodyOnInvalidRequests(t *testing.T) {
 				Header: Header{"key": {"\x19"}},
 				URL:    u,
 			},
-			wantErr: "invalid header field value",
+			wantErr: `invalid header field value for "key"`,
 		},
 		{
 			name: "non HTTP(s) scheme",
@@ -6118,7 +6118,7 @@ func TestTransportClosesBodyOnInvalidRequests(t *testing.T) {
 				Method: "POST",
 				URL:    &url.URL{Scheme: "faux"},
 			},
-			wantErr: "unsupported protocol scheme",
+			wantErr: `unsupported protocol scheme "faux"`,
 		},
 		{
 			name: "no Host in URL",
@@ -6126,7 +6126,7 @@ func TestTransportClosesBodyOnInvalidRequests(t *testing.T) {
 				Method: "POST",
 				URL:    &url.URL{Scheme: "http"},
 			},
-			wantErr: "no Host",
+			wantErr: `no Host in request URL`,
 		},
 	}
 
@@ -6142,8 +6142,8 @@ func TestTransportClosesBodyOnInvalidRequests(t *testing.T) {
 			if !bc {
 				t.Fatal("Expected body to have been closed")
 			}
-			if g, w := err.Error(), tt.wantErr; !strings.Contains(g, w) {
-				t.Fatalf("Error mismatch\n\t%q\ndoes not contain\n\t%q", g, w)
+			if g, w := err.Error(), tt.wantErr; !strings.HasSuffix(g, w) {
+				t.Fatalf("Error mismatch: %q does not end with %q", g, w)
 			}
 		})
 	}