url.go

     1  // Copyright 2009 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  // Package url parses URLs and implements query escaping.
     6  package url
     7  
     8  // See RFC 3986. This package generally follows RFC 3986, except where
     9  // it deviates for compatibility reasons. When sending changes, first
    10  // search old issues for history on decisions. Unit tests should also
    11  // contain references to issue numbers with details.
    12  
    13  import (
    14  	"errors"
    15  	"fmt"
    16  	"path"
    17  	"slices"
    18  	"strconv"
    19  	"strings"
    20  	_ "unsafe" // for linkname
    21  )
    22  
    23  // Error reports an error and the operation and URL that caused it.
    24  type Error struct {
    25  	Op  string
    26  	URL string
    27  	Err error
    28  }
    29  
    30  func (e *Error) Unwrap() error { return e.Err }
    31  func (e *Error) Error() string { return fmt.Sprintf("%s %q: %s", e.Op, e.URL, e.Err) }
    32  
    33  func (e *Error) Timeout() bool {
    34  	t, ok := e.Err.(interface {
    35  		Timeout() bool
    36  	})
    37  	return ok && t.Timeout()
    38  }
    39  
    40  func (e *Error) Temporary() bool {
    41  	t, ok := e.Err.(interface {
    42  		Temporary() bool
    43  	})
    44  	return ok && t.Temporary()
    45  }
    46  
    47  const upperhex = "0123456789ABCDEF"
    48  
    49  func ishex(c byte) bool {
    50  	switch {
    51  	case '0' <= c && c <= '9':
    52  		return true
    53  	case 'a' <= c && c <= 'f':
    54  		return true
    55  	case 'A' <= c && c <= 'F':
    56  		return true
    57  	}
    58  	return false
    59  }
    60  
    61  func unhex(c byte) byte {
    62  	switch {
    63  	case '0' <= c && c <= '9':
    64  		return c - '0'
    65  	case 'a' <= c && c <= 'f':
    66  		return c - 'a' + 10
    67  	case 'A' <= c && c <= 'F':
    68  		return c - 'A' + 10
    69  	}
    70  	return 0
    71  }
    72  
    73  type encoding int
    74  
    75  const (
    76  	encodePath encoding = 1 + iota
    77  	encodePathSegment
    78  	encodeHost
    79  	encodeZone
    80  	encodeUserPassword
    81  	encodeQueryComponent
    82  	encodeFragment
    83  )
    84  
    85  type EscapeError string
    86  
    87  func (e EscapeError) Error() string {
    88  	return "invalid URL escape " + strconv.Quote(string(e))
    89  }
    90  
    91  type InvalidHostError string
    92  
    93  func (e InvalidHostError) Error() string {
    94  	return "invalid character " + strconv.Quote(string(e)) + " in host name"
    95  }
    96  
    97  // Return true if the specified character should be escaped when
    98  // appearing in a URL string, according to RFC 3986.
    99  //
   100  // Please be informed that for now shouldEscape does not check all
   101  // reserved characters correctly. See golang.org/issue/5684.
   102  func shouldEscape(c byte, mode encoding) bool {
   103  	// §2.3 Unreserved characters (alphanum)
   104  	if 'a' <= c && c <= 'z' || 'A' <= c && c <= 'Z' || '0' <= c && c <= '9' {
   105  		return false
   106  	}
   107  
   108  	if mode == encodeHost || mode == encodeZone {
   109  		// §3.2.2 Host allows
   110  		//	sub-delims = "!" / "$" / "&" / "'" / "(" / ")" / "*" / "+" / "," / ";" / "="
   111  		// as part of reg-name.
   112  		// We add : because we include :port as part of host.
   113  		// We add [ ] because we include [ipv6]:port as part of host.
   114  		// We add < > because they're the only characters left that
   115  		// we could possibly allow, and Parse will reject them if we
   116  		// escape them (because hosts can't use %-encoding for
   117  		// ASCII bytes).
   118  		switch c {
   119  		case '!', '$', '&', '\'', '(', ')', '*', '+', ',', ';', '=', ':', '[', ']', '<', '>', '"':
   120  			return false
   121  		}
   122  	}
   123  
   124  	switch c {
   125  	case '-', '_', '.', '~': // §2.3 Unreserved characters (mark)
   126  		return false
   127  
   128  	case '$', '&', '+', ',', '/', ':', ';', '=', '?', '@': // §2.2 Reserved characters (reserved)
   129  		// Different sections of the URL allow a few of
   130  		// the reserved characters to appear unescaped.
   131  		switch mode {
   132  		case encodePath: // §3.3
   133  			// The RFC allows : @ & = + $ but saves / ; , for assigning
   134  			// meaning to individual path segments. This package
   135  			// only manipulates the path as a whole, so we allow those
   136  			// last three as well. That leaves only ? to escape.
   137  			return c == '?'
   138  
   139  		case encodePathSegment: // §3.3
   140  			// The RFC allows : @ & = + $ but saves / ; , for assigning
   141  			// meaning to individual path segments.
   142  			return c == '/' || c == ';' || c == ',' || c == '?'
   143  
   144  		case encodeUserPassword: // §3.2.1
   145  			// The RFC allows ';', ':', '&', '=', '+', '$', and ',' in
   146  			// userinfo, so we must escape only '@', '/', and '?'.
   147  			// The parsing of userinfo treats ':' as special so we must escape
   148  			// that too.
   149  			return c == '@' || c == '/' || c == '?' || c == ':'
   150  
   151  		case encodeQueryComponent: // §3.4
   152  			// The RFC reserves (so we must escape) everything.
   153  			return true
   154  
   155  		case encodeFragment: // §4.1
   156  			// The RFC text is silent but the grammar allows
   157  			// everything, so escape nothing.
   158  			return false
   159  		}
   160  	}
   161  
   162  	if mode == encodeFragment {
   163  		// RFC 3986 §2.2 allows not escaping sub-delims. A subset of sub-delims are
   164  		// included in reserved from RFC 2396 §2.2. The remaining sub-delims do not
   165  		// need to be escaped. To minimize potential breakage, we apply two restrictions:
   166  		// (1) we always escape sub-delims outside of the fragment, and (2) we always
   167  		// escape single quote to avoid breaking callers that had previously assumed that
   168  		// single quotes would be escaped. See issue #19917.
   169  		switch c {
   170  		case '!', '(', ')', '*':
   171  			return false
   172  		}
   173  	}
   174  
   175  	// Everything else must be escaped.
   176  	return true
   177  }
   178  
   179  // QueryUnescape does the inverse transformation of [QueryEscape],
   180  // converting each 3-byte encoded substring of the form "%AB" into the
   181  // hex-decoded byte 0xAB.
   182  // It returns an error if any % is not followed by two hexadecimal
   183  // digits.
   184  func QueryUnescape(s string) (string, error) {
   185  	return unescape(s, encodeQueryComponent)
   186  }
   187  
   188  // PathUnescape does the inverse transformation of [PathEscape],
   189  // converting each 3-byte encoded substring of the form "%AB" into the
   190  // hex-decoded byte 0xAB. It returns an error if any % is not followed
   191  // by two hexadecimal digits.
   192  //
   193  // PathUnescape is identical to [QueryUnescape] except that it does not
   194  // unescape '+' to ' ' (space).
   195  func PathUnescape(s string) (string, error) {
   196  	return unescape(s, encodePathSegment)
   197  }
   198  
   199  // unescape unescapes a string; the mode specifies
   200  // which section of the URL string is being unescaped.
   201  func unescape(s string, mode encoding) (string, error) {
   202  	// Count %, check that they're well-formed.
   203  	n := 0
   204  	hasPlus := false
   205  	for i := 0; i < len(s); {
   206  		switch s[i] {
   207  		case '%':
   208  			n++
   209  			if i+2 >= len(s) || !ishex(s[i+1]) || !ishex(s[i+2]) {
   210  				s = s[i:]
   211  				if len(s) > 3 {
   212  					s = s[:3]
   213  				}
   214  				return "", EscapeError(s)
   215  			}
   216  			// Per https://tools.ietf.org/html/rfc3986#page-21
   217  			// in the host component %-encoding can only be used
   218  			// for non-ASCII bytes.
   219  			// But https://tools.ietf.org/html/rfc6874#section-2
   220  			// introduces %25 being allowed to escape a percent sign
   221  			// in IPv6 scoped-address literals. Yay.
   222  			if mode == encodeHost && unhex(s[i+1]) < 8 && s[i:i+3] != "%25" {
   223  				return "", EscapeError(s[i : i+3])
   224  			}
   225  			if mode == encodeZone {
   226  				// RFC 6874 says basically "anything goes" for zone identifiers
   227  				// and that even non-ASCII can be redundantly escaped,
   228  				// but it seems prudent to restrict %-escaped bytes here to those
   229  				// that are valid host name bytes in their unescaped form.
   230  				// That is, you can use escaping in the zone identifier but not
   231  				// to introduce bytes you couldn't just write directly.
   232  				// But Windows puts spaces here! Yay.
   233  				v := unhex(s[i+1])<<4 | unhex(s[i+2])
   234  				if s[i:i+3] != "%25" && v != ' ' && shouldEscape(v, encodeHost) {
   235  					return "", EscapeError(s[i : i+3])
   236  				}
   237  			}
   238  			i += 3
   239  		case '+':
   240  			hasPlus = mode == encodeQueryComponent
   241  			i++
   242  		default:
   243  			if (mode == encodeHost || mode == encodeZone) && s[i] < 0x80 && shouldEscape(s[i], mode) {
   244  				return "", InvalidHostError(s[i : i+1])
   245  			}
   246  			i++
   247  		}
   248  	}
   249  
   250  	if n == 0 && !hasPlus {
   251  		return s, nil
   252  	}
   253  
   254  	var t strings.Builder
   255  	t.Grow(len(s) - 2*n)
   256  	for i := 0; i < len(s); i++ {
   257  		switch s[i] {
   258  		case '%':
   259  			t.WriteByte(unhex(s[i+1])<<4 | unhex(s[i+2]))
   260  			i += 2
   261  		case '+':
   262  			if mode == encodeQueryComponent {
   263  				t.WriteByte(' ')
   264  			} else {
   265  				t.WriteByte('+')
   266  			}
   267  		default:
   268  			t.WriteByte(s[i])
   269  		}
   270  	}
   271  	return t.String(), nil
   272  }
   273  
   274  // QueryEscape escapes the string so it can be safely placed
   275  // inside a [URL] query.
   276  func QueryEscape(s string) string {
   277  	return escape(s, encodeQueryComponent)
   278  }
   279  
   280  // PathEscape escapes the string so it can be safely placed inside a [URL] path segment,
   281  // replacing special characters (including /) with %XX sequences as needed.
   282  func PathEscape(s string) string {
   283  	return escape(s, encodePathSegment)
   284  }
   285  
   286  func escape(s string, mode encoding) string {
   287  	spaceCount, hexCount := 0, 0
   288  	for i := 0; i < len(s); i++ {
   289  		c := s[i]
   290  		if shouldEscape(c, mode) {
   291  			if c == ' ' && mode == encodeQueryComponent {
   292  				spaceCount++
   293  			} else {
   294  				hexCount++
   295  			}
   296  		}
   297  	}
   298  
   299  	if spaceCount == 0 && hexCount == 0 {
   300  		return s
   301  	}
   302  
   303  	var buf [64]byte
   304  	var t []byte
   305  
   306  	required := len(s) + 2*hexCount
   307  	if required <= len(buf) {
   308  		t = buf[:required]
   309  	} else {
   310  		t = make([]byte, required)
   311  	}
   312  
   313  	if hexCount == 0 {
   314  		copy(t, s)
   315  		for i := 0; i < len(s); i++ {
   316  			if s[i] == ' ' {
   317  				t[i] = '+'
   318  			}
   319  		}
   320  		return string(t)
   321  	}
   322  
   323  	j := 0
   324  	for i := 0; i < len(s); i++ {
   325  		switch c := s[i]; {
   326  		case c == ' ' && mode == encodeQueryComponent:
   327  			t[j] = '+'
   328  			j++
   329  		case shouldEscape(c, mode):
   330  			t[j] = '%'
   331  			t[j+1] = upperhex[c>>4]
   332  			t[j+2] = upperhex[c&15]
   333  			j += 3
   334  		default:
   335  			t[j] = s[i]
   336  			j++
   337  		}
   338  	}
   339  	return string(t)
   340  }
   341  
   342  // A URL represents a parsed URL (technically, a URI reference).
   343  //
   344  // The general form represented is:
   345  //
   346  //	[scheme:][//[userinfo@]host][/]path[?query][#fragment]
   347  //
   348  // URLs that do not start with a slash after the scheme are interpreted as:
   349  //
   350  //	scheme:opaque[?query][#fragment]
   351  //
   352  // The Host field contains the host and port subcomponents of the URL.
   353  // When the port is present, it is separated from the host with a colon.
   354  // When the host is an IPv6 address, it must be enclosed in square brackets:
   355  // "[fe80::1]:80". The [net.JoinHostPort] function combines a host and port
   356  // into a string suitable for the Host field, adding square brackets to
   357  // the host when necessary.
   358  //
   359  // Note that the Path field is stored in decoded form: /%47%6f%2f becomes /Go/.
   360  // A consequence is that it is impossible to tell which slashes in the Path were
   361  // slashes in the raw URL and which were %2f. This distinction is rarely important,
   362  // but when it is, the code should use the [URL.EscapedPath] method, which preserves
   363  // the original encoding of Path.
   364  //
   365  // The RawPath field is an optional field which is only set when the default
   366  // encoding of Path is different from the escaped path. See the EscapedPath method
   367  // for more details.
   368  //
   369  // URL's String method uses the EscapedPath method to obtain the path.
   370  type URL struct {
   371  	Scheme      string
   372  	Opaque      string    // encoded opaque data
   373  	User        *Userinfo // username and password information
   374  	Host        string    // host or host:port (see Hostname and Port methods)
   375  	Path        string    // path (relative paths may omit leading slash)
   376  	RawPath     string    // encoded path hint (see EscapedPath method)
   377  	OmitHost    bool      // do not emit empty host (authority)
   378  	ForceQuery  bool      // append a query ('?') even if RawQuery is empty
   379  	RawQuery    string    // encoded query values, without '?'
   380  	Fragment    string    // fragment for references, without '#'
   381  	RawFragment string    // encoded fragment hint (see EscapedFragment method)
   382  }
   383  
   384  // User returns a [Userinfo] containing the provided username
   385  // and no password set.
   386  func User(username string) *Userinfo {
   387  	return &Userinfo{username, "", false}
   388  }
   389  
   390  // UserPassword returns a [Userinfo] containing the provided username
   391  // and password.
   392  //
   393  // This functionality should only be used with legacy web sites.
   394  // RFC 2396 warns that interpreting Userinfo this way
   395  // “is NOT RECOMMENDED, because the passing of authentication
   396  // information in clear text (such as URI) has proven to be a
   397  // security risk in almost every case where it has been used.”
   398  func UserPassword(username, password string) *Userinfo {
   399  	return &Userinfo{username, password, true}
   400  }
   401  
   402  // The Userinfo type is an immutable encapsulation of username and
   403  // password details for a [URL]. An existing Userinfo value is guaranteed
   404  // to have a username set (potentially empty, as allowed by RFC 2396),
   405  // and optionally a password.
   406  type Userinfo struct {
   407  	username    string
   408  	password    string
   409  	passwordSet bool
   410  }
   411  
   412  // Username returns the username.
   413  func (u *Userinfo) Username() string {
   414  	if u == nil {
   415  		return ""
   416  	}
   417  	return u.username
   418  }
   419  
   420  // Password returns the password in case it is set, and whether it is set.
   421  func (u *Userinfo) Password() (string, bool) {
   422  	if u == nil {
   423  		return "", false
   424  	}
   425  	return u.password, u.passwordSet
   426  }
   427  
   428  // String returns the encoded userinfo information in the standard form
   429  // of "username[:password]".
   430  func (u *Userinfo) String() string {
   431  	if u == nil {
   432  		return ""
   433  	}
   434  	s := escape(u.username, encodeUserPassword)
   435  	if u.passwordSet {
   436  		s += ":" + escape(u.password, encodeUserPassword)
   437  	}
   438  	return s
   439  }
   440  
   441  // Maybe rawURL is of the form scheme:path.
   442  // (Scheme must be [a-zA-Z][a-zA-Z0-9+.-]*)
   443  // If so, return scheme, path; else return "", rawURL.
   444  func getScheme(rawURL string) (scheme, path string, err error) {
   445  	for i := 0; i < len(rawURL); i++ {
   446  		c := rawURL[i]
   447  		switch {
   448  		case 'a' <= c && c <= 'z' || 'A' <= c && c <= 'Z':
   449  		// do nothing
   450  		case '0' <= c && c <= '9' || c == '+' || c == '-' || c == '.':
   451  			if i == 0 {
   452  				return "", rawURL, nil
   453  			}
   454  		case c == ':':
   455  			if i == 0 {
   456  				return "", "", errors.New("missing protocol scheme")
   457  			}
   458  			return rawURL[:i], rawURL[i+1:], nil
   459  		default:
   460  			// we have encountered an invalid character,
   461  			// so there is no valid scheme
   462  			return "", rawURL, nil
   463  		}
   464  	}
   465  	return "", rawURL, nil
   466  }
   467  
   468  // Parse parses a raw url into a [URL] structure.
   469  //
   470  // The url may be relative (a path, without a host) or absolute
   471  // (starting with a scheme). Trying to parse a hostname and path
   472  // without a scheme is invalid but may not necessarily return an
   473  // error, due to parsing ambiguities.
   474  func Parse(rawURL string) (*URL, error) {
   475  	// Cut off #frag
   476  	u, frag, _ := strings.Cut(rawURL, "#")
   477  	url, err := parse(u, false)
   478  	if err != nil {
   479  		return nil, &Error{"parse", u, err}
   480  	}
   481  	if frag == "" {
   482  		return url, nil
   483  	}
   484  	if err = url.setFragment(frag); err != nil {
   485  		return nil, &Error{"parse", rawURL, err}
   486  	}
   487  	return url, nil
   488  }
   489  
   490  // ParseRequestURI parses a raw url into a [URL] structure. It assumes that
   491  // url was received in an HTTP request, so the url is interpreted
   492  // only as an absolute URI or an absolute path.
   493  // The string url is assumed not to have a #fragment suffix.
   494  // (Web browsers strip #fragment before sending the URL to a web server.)
   495  func ParseRequestURI(rawURL string) (*URL, error) {
   496  	url, err := parse(rawURL, true)
   497  	if err != nil {
   498  		return nil, &Error{"parse", rawURL, err}
   499  	}
   500  	return url, nil
   501  }
   502  
   503  // parse parses a URL from a string in one of two contexts. If
   504  // viaRequest is true, the URL is assumed to have arrived via an HTTP request,
   505  // in which case only absolute URLs or path-absolute relative URLs are allowed.
   506  // If viaRequest is false, all forms of relative URLs are allowed.
   507  func parse(rawURL string, viaRequest bool) (*URL, error) {
   508  	var rest string
   509  	var err error
   510  
   511  	if stringContainsCTLByte(rawURL) {
   512  		return nil, errors.New("net/url: invalid control character in URL")
   513  	}
   514  
   515  	if rawURL == "" && viaRequest {
   516  		return nil, errors.New("empty url")
   517  	}
   518  	url := new(URL)
   519  
   520  	if rawURL == "*" {
   521  		url.Path = "*"
   522  		return url, nil
   523  	}
   524  
   525  	// Split off possible leading "http:", "mailto:", etc.
   526  	// Cannot contain escaped characters.
   527  	if url.Scheme, rest, err = getScheme(rawURL); err != nil {
   528  		return nil, err
   529  	}
   530  	url.Scheme = strings.ToLower(url.Scheme)
   531  
   532  	if strings.HasSuffix(rest, "?") && strings.Count(rest, "?") == 1 {
   533  		url.ForceQuery = true
   534  		rest = rest[:len(rest)-1]
   535  	} else {
   536  		rest, url.RawQuery, _ = strings.Cut(rest, "?")
   537  	}
   538  
   539  	if !strings.HasPrefix(rest, "/") {
   540  		if url.Scheme != "" {
   541  			// We consider rootless paths per RFC 3986 as opaque.
   542  			url.Opaque = rest
   543  			return url, nil
   544  		}
   545  		if viaRequest {
   546  			return nil, errors.New("invalid URI for request")
   547  		}
   548  
   549  		// Avoid confusion with malformed schemes, like cache_object:foo/bar.
   550  		// See golang.org/issue/16822.
   551  		//
   552  		// RFC 3986, §3.3:
   553  		// In addition, a URI reference (Section 4.1) may be a relative-path reference,
   554  		// in which case the first path segment cannot contain a colon (":") character.
   555  		if segment, _, _ := strings.Cut(rest, "/"); strings.Contains(segment, ":") {
   556  			// First path segment has colon. Not allowed in relative URL.
   557  			return nil, errors.New("first path segment in URL cannot contain colon")
   558  		}
   559  	}
   560  
   561  	if (url.Scheme != "" || !viaRequest && !strings.HasPrefix(rest, "///")) && strings.HasPrefix(rest, "//") {
   562  		var authority string
   563  		authority, rest = rest[2:], ""
   564  		if i := strings.Index(authority, "/"); i >= 0 {
   565  			authority, rest = authority[:i], authority[i:]
   566  		}
   567  		url.User, url.Host, err = parseAuthority(authority)
   568  		if err != nil {
   569  			return nil, err
   570  		}
   571  	} else if url.Scheme != "" && strings.HasPrefix(rest, "/") {
   572  		// OmitHost is set to true when rawURL has an empty host (authority).
   573  		// See golang.org/issue/46059.
   574  		url.OmitHost = true
   575  	}
   576  
   577  	// Set Path and, optionally, RawPath.
   578  	// RawPath is a hint of the encoding of Path. We don't want to set it if
   579  	// the default escaping of Path is equivalent, to help make sure that people
   580  	// don't rely on it in general.
   581  	if err := url.setPath(rest); err != nil {
   582  		return nil, err
   583  	}
   584  	return url, nil
   585  }
   586  
   587  func parseAuthority(authority string) (user *Userinfo, host string, err error) {
   588  	i := strings.LastIndex(authority, "@")
   589  	if i < 0 {
   590  		host, err = parseHost(authority)
   591  	} else {
   592  		host, err = parseHost(authority[i+1:])
   593  	}
   594  	if err != nil {
   595  		return nil, "", err
   596  	}
   597  	if i < 0 {
   598  		return nil, host, nil
   599  	}
   600  	userinfo := authority[:i]
   601  	if !validUserinfo(userinfo) {
   602  		return nil, "", errors.New("net/url: invalid userinfo")
   603  	}
   604  	if !strings.Contains(userinfo, ":") {
   605  		if userinfo, err = unescape(userinfo, encodeUserPassword); err != nil {
   606  			return nil, "", err
   607  		}
   608  		user = User(userinfo)
   609  	} else {
   610  		username, password, _ := strings.Cut(userinfo, ":")
   611  		if username, err = unescape(username, encodeUserPassword); err != nil {
   612  			return nil, "", err
   613  		}
   614  		if password, err = unescape(password, encodeUserPassword); err != nil {
   615  			return nil, "", err
   616  		}
   617  		user = UserPassword(username, password)
   618  	}
   619  	return user, host, nil
   620  }
   621  
   622  // parseHost parses host as an authority without user
   623  // information. That is, as host[:port].
   624  func parseHost(host string) (string, error) {
   625  	if strings.HasPrefix(host, "[") {
   626  		// Parse an IP-Literal in RFC 3986 and RFC 6874.
   627  		// E.g., "[fe80::1]", "[fe80::1%25en0]", "[fe80::1]:80".
   628  		i := strings.LastIndex(host, "]")
   629  		if i < 0 {
   630  			return "", errors.New("missing ']' in host")
   631  		}
   632  		colonPort := host[i+1:]
   633  		if !validOptionalPort(colonPort) {
   634  			return "", fmt.Errorf("invalid port %q after host", colonPort)
   635  		}
   636  
   637  		// RFC 6874 defines that %25 (%-encoded percent) introduces
   638  		// the zone identifier, and the zone identifier can use basically
   639  		// any %-encoding it likes. That's different from the host, which
   640  		// can only %-encode non-ASCII bytes.
   641  		// We do impose some restrictions on the zone, to avoid stupidity
   642  		// like newlines.
   643  		zone := strings.Index(host[:i], "%25")
   644  		if zone >= 0 {
   645  			host1, err := unescape(host[:zone], encodeHost)
   646  			if err != nil {
   647  				return "", err
   648  			}
   649  			host2, err := unescape(host[zone:i], encodeZone)
   650  			if err != nil {
   651  				return "", err
   652  			}
   653  			host3, err := unescape(host[i:], encodeHost)
   654  			if err != nil {
   655  				return "", err
   656  			}
   657  			return host1 + host2 + host3, nil
   658  		}
   659  	} else if i := strings.LastIndex(host, ":"); i != -1 {
   660  		colonPort := host[i:]
   661  		if !validOptionalPort(colonPort) {
   662  			return "", fmt.Errorf("invalid port %q after host", colonPort)
   663  		}
   664  	}
   665  
   666  	var err error
   667  	if host, err = unescape(host, encodeHost); err != nil {
   668  		return "", err
   669  	}
   670  	return host, nil
   671  }
   672  
   673  // setPath sets the Path and RawPath fields of the URL based on the provided
   674  // escaped path p. It maintains the invariant that RawPath is only specified
   675  // when it differs from the default encoding of the path.
   676  // For example:
   677  // - setPath("/foo/bar")   will set Path="/foo/bar" and RawPath=""
   678  // - setPath("/foo%2fbar") will set Path="/foo/bar" and RawPath="/foo%2fbar"
   679  // setPath will return an error only if the provided path contains an invalid
   680  // escaping.
   681  //
   682  // setPath should be an internal detail,
   683  // but widely used packages access it using linkname.
   684  // Notable members of the hall of shame include:
   685  //   - github.com/sagernet/sing
   686  //
   687  // Do not remove or change the type signature.
   688  // See go.dev/issue/67401.
   689  //
   690  //go:linkname badSetPath net/url.(*URL).setPath
   691  func (u *URL) setPath(p string) error {
   692  	path, err := unescape(p, encodePath)
   693  	if err != nil {
   694  		return err
   695  	}
   696  	u.Path = path
   697  	if escp := escape(path, encodePath); p == escp {
   698  		// Default encoding is fine.
   699  		u.RawPath = ""
   700  	} else {
   701  		u.RawPath = p
   702  	}
   703  	return nil
   704  }
   705  
   706  // for linkname because we cannot linkname methods directly
   707  func badSetPath(*URL, string) error
   708  
   709  // EscapedPath returns the escaped form of u.Path.
   710  // In general there are multiple possible escaped forms of any path.
   711  // EscapedPath returns u.RawPath when it is a valid escaping of u.Path.
   712  // Otherwise EscapedPath ignores u.RawPath and computes an escaped
   713  // form on its own.
   714  // The [URL.String] and [URL.RequestURI] methods use EscapedPath to construct
   715  // their results.
   716  // In general, code should call EscapedPath instead of
   717  // reading u.RawPath directly.
   718  func (u *URL) EscapedPath() string {
   719  	if u.RawPath != "" && validEncoded(u.RawPath, encodePath) {
   720  		p, err := unescape(u.RawPath, encodePath)
   721  		if err == nil && p == u.Path {
   722  			return u.RawPath
   723  		}
   724  	}
   725  	if u.Path == "*" {
   726  		return "*" // don't escape (Issue 11202)
   727  	}
   728  	return escape(u.Path, encodePath)
   729  }
   730  
   731  // validEncoded reports whether s is a valid encoded path or fragment,
   732  // according to mode.
   733  // It must not contain any bytes that require escaping during encoding.
   734  func validEncoded(s string, mode encoding) bool {
   735  	for i := 0; i < len(s); i++ {
   736  		// RFC 3986, Appendix A.
   737  		// pchar = unreserved / pct-encoded / sub-delims / ":" / "@".
   738  		// shouldEscape is not quite compliant with the RFC,
   739  		// so we check the sub-delims ourselves and let
   740  		// shouldEscape handle the others.
   741  		switch s[i] {
   742  		case '!', '$', '&', '\'', '(', ')', '*', '+', ',', ';', '=', ':', '@':
   743  			// ok
   744  		case '[', ']':
   745  			// ok - not specified in RFC 3986 but left alone by modern browsers
   746  		case '%':
   747  			// ok - percent encoded, will decode
   748  		default:
   749  			if shouldEscape(s[i], mode) {
   750  				return false
   751  			}
   752  		}
   753  	}
   754  	return true
   755  }
   756  
   757  // setFragment is like setPath but for Fragment/RawFragment.
   758  func (u *URL) setFragment(f string) error {
   759  	frag, err := unescape(f, encodeFragment)
   760  	if err != nil {
   761  		return err
   762  	}
   763  	u.Fragment = frag
   764  	if escf := escape(frag, encodeFragment); f == escf {
   765  		// Default encoding is fine.
   766  		u.RawFragment = ""
   767  	} else {
   768  		u.RawFragment = f
   769  	}
   770  	return nil
   771  }
   772  
   773  // EscapedFragment returns the escaped form of u.Fragment.
   774  // In general there are multiple possible escaped forms of any fragment.
   775  // EscapedFragment returns u.RawFragment when it is a valid escaping of u.Fragment.
   776  // Otherwise EscapedFragment ignores u.RawFragment and computes an escaped
   777  // form on its own.
   778  // The [URL.String] method uses EscapedFragment to construct its result.
   779  // In general, code should call EscapedFragment instead of
   780  // reading u.RawFragment directly.
   781  func (u *URL) EscapedFragment() string {
   782  	if u.RawFragment != "" && validEncoded(u.RawFragment, encodeFragment) {
   783  		f, err := unescape(u.RawFragment, encodeFragment)
   784  		if err == nil && f == u.Fragment {
   785  			return u.RawFragment
   786  		}
   787  	}
   788  	return escape(u.Fragment, encodeFragment)
   789  }
   790  
   791  // validOptionalPort reports whether port is either an empty string
   792  // or matches /^:\d*$/
   793  func validOptionalPort(port string) bool {
   794  	if port == "" {
   795  		return true
   796  	}
   797  	if port[0] != ':' {
   798  		return false
   799  	}
   800  	for _, b := range port[1:] {
   801  		if b < '0' || b > '9' {
   802  			return false
   803  		}
   804  	}
   805  	return true
   806  }
   807  
   808  // String reassembles the [URL] into a valid URL string.
   809  // The general form of the result is one of:
   810  //
   811  //	scheme:opaque?query#fragment
   812  //	scheme://userinfo@host/path?query#fragment
   813  //
   814  // If u.Opaque is non-empty, String uses the first form;
   815  // otherwise it uses the second form.
   816  // Any non-ASCII characters in host are escaped.
   817  // To obtain the path, String uses u.EscapedPath().
   818  //
   819  // In the second form, the following rules apply:
   820  //   - if u.Scheme is empty, scheme: is omitted.
   821  //   - if u.User is nil, userinfo@ is omitted.
   822  //   - if u.Host is empty, host/ is omitted.
   823  //   - if u.Scheme and u.Host are empty and u.User is nil,
   824  //     the entire scheme://userinfo@host/ is omitted.
   825  //   - if u.Host is non-empty and u.Path begins with a /,
   826  //     the form host/path does not add its own /.
   827  //   - if u.RawQuery is empty, ?query is omitted.
   828  //   - if u.Fragment is empty, #fragment is omitted.
   829  func (u *URL) String() string {
   830  	var buf strings.Builder
   831  
   832  	n := len(u.Scheme)
   833  	if u.Opaque != "" {
   834  		n += len(u.Opaque)
   835  	} else {
   836  		if !u.OmitHost && (u.Scheme != "" || u.Host != "" || u.User != nil) {
   837  			username := u.User.Username()
   838  			password, _ := u.User.Password()
   839  			n += len(username) + len(password) + len(u.Host)
   840  		}
   841  		n += len(u.Path)
   842  	}
   843  	n += len(u.RawQuery) + len(u.RawFragment)
   844  	n += len(":" + "//" + "//" + ":" + "@" + "/" + "./" + "?" + "#")
   845  	buf.Grow(n)
   846  
   847  	if u.Scheme != "" {
   848  		buf.WriteString(u.Scheme)
   849  		buf.WriteByte(':')
   850  	}
   851  	if u.Opaque != "" {
   852  		buf.WriteString(u.Opaque)
   853  	} else {
   854  		if u.Scheme != "" || u.Host != "" || u.User != nil {
   855  			if u.OmitHost && u.Host == "" && u.User == nil {
   856  				// omit empty host
   857  			} else {
   858  				if u.Host != "" || u.Path != "" || u.User != nil {
   859  					buf.WriteString("//")
   860  				}
   861  				if ui := u.User; ui != nil {
   862  					buf.WriteString(ui.String())
   863  					buf.WriteByte('@')
   864  				}
   865  				if h := u.Host; h != "" {
   866  					buf.WriteString(escape(h, encodeHost))
   867  				}
   868  			}
   869  		}
   870  		path := u.EscapedPath()
   871  		if path != "" && path[0] != '/' && u.Host != "" {
   872  			buf.WriteByte('/')
   873  		}
   874  		if buf.Len() == 0 {
   875  			// RFC 3986 §4.2
   876  			// A path segment that contains a colon character (e.g., "this:that")
   877  			// cannot be used as the first segment of a relative-path reference, as
   878  			// it would be mistaken for a scheme name. Such a segment must be
   879  			// preceded by a dot-segment (e.g., "./this:that") to make a relative-
   880  			// path reference.
   881  			if segment, _, _ := strings.Cut(path, "/"); strings.Contains(segment, ":") {
   882  				buf.WriteString("./")
   883  			}
   884  		}
   885  		buf.WriteString(path)
   886  	}
   887  	if u.ForceQuery || u.RawQuery != "" {
   888  		buf.WriteByte('?')
   889  		buf.WriteString(u.RawQuery)
   890  	}
   891  	if u.Fragment != "" {
   892  		buf.WriteByte('#')
   893  		buf.WriteString(u.EscapedFragment())
   894  	}
   895  	return buf.String()
   896  }
   897  
   898  // Redacted is like [URL.String] but replaces any password with "xxxxx".
   899  // Only the password in u.User is redacted.
   900  func (u *URL) Redacted() string {
   901  	if u == nil {
   902  		return ""
   903  	}
   904  
   905  	ru := *u
   906  	if _, has := ru.User.Password(); has {
   907  		ru.User = UserPassword(ru.User.Username(), "xxxxx")
   908  	}
   909  	return ru.String()
   910  }
   911  
   912  // Values maps a string key to a list of values.
   913  // It is typically used for query parameters and form values.
   914  // Unlike in the http.Header map, the keys in a Values map
   915  // are case-sensitive.
   916  type Values map[string][]string
   917  
   918  // Get gets the first value associated with the given key.
   919  // If there are no values associated with the key, Get returns
   920  // the empty string. To access multiple values, use the map
   921  // directly.
   922  func (v Values) Get(key string) string {
   923  	vs := v[key]
   924  	if len(vs) == 0 {
   925  		return ""
   926  	}
   927  	return vs[0]
   928  }
   929  
   930  // Set sets the key to value. It replaces any existing
   931  // values.
   932  func (v Values) Set(key, value string) {
   933  	v[key] = []string{value}
   934  }
   935  
   936  // Add adds the value to key. It appends to any existing
   937  // values associated with key.
   938  func (v Values) Add(key, value string) {
   939  	v[key] = append(v[key], value)
   940  }
   941  
   942  // Del deletes the values associated with key.
   943  func (v Values) Del(key string) {
   944  	delete(v, key)
   945  }
   946  
   947  // Has checks whether a given key is set.
   948  func (v Values) Has(key string) bool {
   949  	_, ok := v[key]
   950  	return ok
   951  }
   952  
   953  // ParseQuery parses the URL-encoded query string and returns
   954  // a map listing the values specified for each key.
   955  // ParseQuery always returns a non-nil map containing all the
   956  // valid query parameters found; err describes the first decoding error
   957  // encountered, if any.
   958  //
   959  // Query is expected to be a list of key=value settings separated by ampersands.
   960  // A setting without an equals sign is interpreted as a key set to an empty
   961  // value.
   962  // Settings containing a non-URL-encoded semicolon are considered invalid.
   963  func ParseQuery(query string) (Values, error) {
   964  	m := make(Values)
   965  	err := parseQuery(m, query)
   966  	return m, err
   967  }
   968  
   969  func parseQuery(m Values, query string) (err error) {
   970  	for query != "" {
   971  		var key string
   972  		key, query, _ = strings.Cut(query, "&")
   973  		if strings.Contains(key, ";") {
   974  			err = fmt.Errorf("invalid semicolon separator in query")
   975  			continue
   976  		}
   977  		if key == "" {
   978  			continue
   979  		}
   980  		key, value, _ := strings.Cut(key, "=")
   981  		key, err1 := QueryUnescape(key)
   982  		if err1 != nil {
   983  			if err == nil {
   984  				err = err1
   985  			}
   986  			continue
   987  		}
   988  		value, err1 = QueryUnescape(value)
   989  		if err1 != nil {
   990  			if err == nil {
   991  				err = err1
   992  			}
   993  			continue
   994  		}
   995  		m[key] = append(m[key], value)
   996  	}
   997  	return err
   998  }
   999  
  1000  // Encode encodes the values into “URL encoded” form
  1001  // ("bar=baz&foo=quux") sorted by key.
  1002  func (v Values) Encode() string {
  1003  	if len(v) == 0 {
  1004  		return ""
  1005  	}
  1006  	var buf strings.Builder
  1007  	keys := make([]string, 0, len(v))
  1008  	for k := range v {
  1009  		keys = append(keys, k)
  1010  	}
  1011  	slices.Sort(keys)
  1012  	for _, k := range keys {
  1013  		vs := v[k]
  1014  		keyEscaped := QueryEscape(k)
  1015  		for _, v := range vs {
  1016  			if buf.Len() > 0 {
  1017  				buf.WriteByte('&')
  1018  			}
  1019  			buf.WriteString(keyEscaped)
  1020  			buf.WriteByte('=')
  1021  			buf.WriteString(QueryEscape(v))
  1022  		}
  1023  	}
  1024  	return buf.String()
  1025  }
  1026  
  1027  // resolvePath applies special path segments from refs and applies
  1028  // them to base, per RFC 3986.
  1029  func resolvePath(base, ref string) string {
  1030  	var full string
  1031  	if ref == "" {
  1032  		full = base
  1033  	} else if ref[0] != '/' {
  1034  		i := strings.LastIndex(base, "/")
  1035  		full = base[:i+1] + ref
  1036  	} else {
  1037  		full = ref
  1038  	}
  1039  	if full == "" {
  1040  		return ""
  1041  	}
  1042  
  1043  	var (
  1044  		elem string
  1045  		dst  strings.Builder
  1046  	)
  1047  	first := true
  1048  	remaining := full
  1049  	// We want to return a leading '/', so write it now.
  1050  	dst.WriteByte('/')
  1051  	found := true
  1052  	for found {
  1053  		elem, remaining, found = strings.Cut(remaining, "/")
  1054  		if elem == "." {
  1055  			first = false
  1056  			// drop
  1057  			continue
  1058  		}
  1059  
  1060  		if elem == ".." {
  1061  			// Ignore the leading '/' we already wrote.
  1062  			str := dst.String()[1:]
  1063  			index := strings.LastIndexByte(str, '/')
  1064  
  1065  			dst.Reset()
  1066  			dst.WriteByte('/')
  1067  			if index == -1 {
  1068  				first = true
  1069  			} else {
  1070  				dst.WriteString(str[:index])
  1071  			}
  1072  		} else {
  1073  			if !first {
  1074  				dst.WriteByte('/')
  1075  			}
  1076  			dst.WriteString(elem)
  1077  			first = false
  1078  		}
  1079  	}
  1080  
  1081  	if elem == "." || elem == ".." {
  1082  		dst.WriteByte('/')
  1083  	}
  1084  
  1085  	// We wrote an initial '/', but we don't want two.
  1086  	r := dst.String()
  1087  	if len(r) > 1 && r[1] == '/' {
  1088  		r = r[1:]
  1089  	}
  1090  	return r
  1091  }
  1092  
  1093  // IsAbs reports whether the [URL] is absolute.
  1094  // Absolute means that it has a non-empty scheme.
  1095  func (u *URL) IsAbs() bool {
  1096  	return u.Scheme != ""
  1097  }
  1098  
  1099  // Parse parses a [URL] in the context of the receiver. The provided URL
  1100  // may be relative or absolute. Parse returns nil, err on parse
  1101  // failure, otherwise its return value is the same as [URL.ResolveReference].
  1102  func (u *URL) Parse(ref string) (*URL, error) {
  1103  	refURL, err := Parse(ref)
  1104  	if err != nil {
  1105  		return nil, err
  1106  	}
  1107  	return u.ResolveReference(refURL), nil
  1108  }
  1109  
  1110  // ResolveReference resolves a URI reference to an absolute URI from
  1111  // an absolute base URI u, per RFC 3986 Section 5.2. The URI reference
  1112  // may be relative or absolute. ResolveReference always returns a new
  1113  // [URL] instance, even if the returned URL is identical to either the
  1114  // base or reference. If ref is an absolute URL, then ResolveReference
  1115  // ignores base and returns a copy of ref.
  1116  func (u *URL) ResolveReference(ref *URL) *URL {
  1117  	url := *ref
  1118  	if ref.Scheme == "" {
  1119  		url.Scheme = u.Scheme
  1120  	}
  1121  	if ref.Scheme != "" || ref.Host != "" || ref.User != nil {
  1122  		// The "absoluteURI" or "net_path" cases.
  1123  		// We can ignore the error from setPath since we know we provided a
  1124  		// validly-escaped path.
  1125  		url.setPath(resolvePath(ref.EscapedPath(), ""))
  1126  		return &url
  1127  	}
  1128  	if ref.Opaque != "" {
  1129  		url.User = nil
  1130  		url.Host = ""
  1131  		url.Path = ""
  1132  		return &url
  1133  	}
  1134  	if ref.Path == "" && !ref.ForceQuery && ref.RawQuery == "" {
  1135  		url.RawQuery = u.RawQuery
  1136  		if ref.Fragment == "" {
  1137  			url.Fragment = u.Fragment
  1138  			url.RawFragment = u.RawFragment
  1139  		}
  1140  	}
  1141  	if ref.Path == "" && u.Opaque != "" {
  1142  		url.Opaque = u.Opaque
  1143  		url.User = nil
  1144  		url.Host = ""
  1145  		url.Path = ""
  1146  		return &url
  1147  	}
  1148  	// The "abs_path" or "rel_path" cases.
  1149  	url.Host = u.Host
  1150  	url.User = u.User
  1151  	url.setPath(resolvePath(u.EscapedPath(), ref.EscapedPath()))
  1152  	return &url
  1153  }
  1154  
  1155  // Query parses RawQuery and returns the corresponding values.
  1156  // It silently discards malformed value pairs.
  1157  // To check errors use [ParseQuery].
  1158  func (u *URL) Query() Values {
  1159  	v, _ := ParseQuery(u.RawQuery)
  1160  	return v
  1161  }
  1162  
  1163  // RequestURI returns the encoded path?query or opaque?query
  1164  // string that would be used in an HTTP request for u.
  1165  func (u *URL) RequestURI() string {
  1166  	result := u.Opaque
  1167  	if result == "" {
  1168  		result = u.EscapedPath()
  1169  		if result == "" {
  1170  			result = "/"
  1171  		}
  1172  	} else {
  1173  		if strings.HasPrefix(result, "//") {
  1174  			result = u.Scheme + ":" + result
  1175  		}
  1176  	}
  1177  	if u.ForceQuery || u.RawQuery != "" {
  1178  		result += "?" + u.RawQuery
  1179  	}
  1180  	return result
  1181  }
  1182  
  1183  // Hostname returns u.Host, stripping any valid port number if present.
  1184  //
  1185  // If the result is enclosed in square brackets, as literal IPv6 addresses are,
  1186  // the square brackets are removed from the result.
  1187  func (u *URL) Hostname() string {
  1188  	host, _ := splitHostPort(u.Host)
  1189  	return host
  1190  }
  1191  
  1192  // Port returns the port part of u.Host, without the leading colon.
  1193  //
  1194  // If u.Host doesn't contain a valid numeric port, Port returns an empty string.
  1195  func (u *URL) Port() string {
  1196  	_, port := splitHostPort(u.Host)
  1197  	return port
  1198  }
  1199  
  1200  // splitHostPort separates host and port. If the port is not valid, it returns
  1201  // the entire input as host, and it doesn't check the validity of the host.
  1202  // Unlike net.SplitHostPort, but per RFC 3986, it requires ports to be numeric.
  1203  func splitHostPort(hostPort string) (host, port string) {
  1204  	host = hostPort
  1205  
  1206  	colon := strings.LastIndexByte(host, ':')
  1207  	if colon != -1 && validOptionalPort(host[colon:]) {
  1208  		host, port = host[:colon], host[colon+1:]
  1209  	}
  1210  
  1211  	if strings.HasPrefix(host, "[") && strings.HasSuffix(host, "]") {
  1212  		host = host[1 : len(host)-1]
  1213  	}
  1214  
  1215  	return
  1216  }
  1217  
  1218  // Marshaling interface implementations.
  1219  // Would like to implement MarshalText/UnmarshalText but that will change the JSON representation of URLs.
  1220  
  1221  func (u *URL) MarshalBinary() (text []byte, err error) {
  1222  	return []byte(u.String()), nil
  1223  }
  1224  
  1225  func (u *URL) UnmarshalBinary(text []byte) error {
  1226  	u1, err := Parse(string(text))
  1227  	if err != nil {
  1228  		return err
  1229  	}
  1230  	*u = *u1
  1231  	return nil
  1232  }
  1233  
  1234  // JoinPath returns a new [URL] with the provided path elements joined to
  1235  // any existing path and the resulting path cleaned of any ./ or ../ elements.
  1236  // Any sequences of multiple / characters will be reduced to a single /.
  1237  func (u *URL) JoinPath(elem ...string) *URL {
  1238  	elem = append([]string{u.EscapedPath()}, elem...)
  1239  	var p string
  1240  	if !strings.HasPrefix(elem[0], "/") {
  1241  		// Return a relative path if u is relative,
  1242  		// but ensure that it contains no ../ elements.
  1243  		elem[0] = "/" + elem[0]
  1244  		p = path.Join(elem...)[1:]
  1245  	} else {
  1246  		p = path.Join(elem...)
  1247  	}
  1248  	// path.Join will remove any trailing slashes.
  1249  	// Preserve at least one.
  1250  	if strings.HasSuffix(elem[len(elem)-1], "/") && !strings.HasSuffix(p, "/") {
  1251  		p += "/"
  1252  	}
  1253  	url := *u
  1254  	url.setPath(p)
  1255  	return &url
  1256  }
  1257  
  1258  // validUserinfo reports whether s is a valid userinfo string per RFC 3986
  1259  // Section 3.2.1:
  1260  //
  1261  //	userinfo    = *( unreserved / pct-encoded / sub-delims / ":" )
  1262  //	unreserved  = ALPHA / DIGIT / "-" / "." / "_" / "~"
  1263  //	sub-delims  = "!" / "$" / "&" / "'" / "(" / ")"
  1264  //	              / "*" / "+" / "," / ";" / "="
  1265  //
  1266  // It doesn't validate pct-encoded. The caller does that via func unescape.
  1267  func validUserinfo(s string) bool {
  1268  	for _, r := range s {
  1269  		if 'A' <= r && r <= 'Z' {
  1270  			continue
  1271  		}
  1272  		if 'a' <= r && r <= 'z' {
  1273  			continue
  1274  		}
  1275  		if '0' <= r && r <= '9' {
  1276  			continue
  1277  		}
  1278  		switch r {
  1279  		case '-', '.', '_', ':', '~', '!', '$', '&', '\'',
  1280  			'(', ')', '*', '+', ',', ';', '=', '%', '@':
  1281  			continue
  1282  		default:
  1283  			return false
  1284  		}
  1285  	}
  1286  	return true
  1287  }
  1288  
  1289  // stringContainsCTLByte reports whether s contains any ASCII control character.
  1290  func stringContainsCTLByte(s string) bool {
  1291  	for i := 0; i < len(s); i++ {
  1292  		b := s[i]
  1293  		if b < ' ' || b == 0x7f {
  1294  			return true
  1295  		}
  1296  	}
  1297  	return false
  1298  }
  1299  
  1300  // JoinPath returns a [URL] string with the provided path elements joined to
  1301  // the existing path of base and the resulting path cleaned of any ./ or ../ elements.
  1302  func JoinPath(base string, elem ...string) (result string, err error) {
  1303  	url, err := Parse(base)
  1304  	if err != nil {
  1305  		return
  1306  	}
  1307  	result = url.JoinPath(elem...).String()
  1308  	return
  1309  }
  1310
View as plain text