Allele Security Alert
Multiple parsing issues in URL.Parse
The Go Authors
All versions of Go
Go versions 1.12.8 and 1.11.13
Proof of concept
url.Parse would accept URLs with malformed hosts, such that the Host field could have arbitrary suffixes that would appear in neither Hostname() nor Port(), allowing authorization bypasses in certain applications.
[security] Go 1.12.8 and Go 1.11.13 are released
net/url: URL.Parse Multiple Parsing Issues #29098
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: October 17, 2019