net/url: surprising behavior when OmitHost=true and Path starts with //

[neild]

A url.URL with OmitHost=true and a Path starting with // will surprisingly stringify as a URL with an authority (host) component:

u := url.URL{
	OmitHost: true,
	Scheme:   "file",
	Path:     "//host/path",
}
fmt.Println(u.String()) // file://host/path

OmitHost is only expected to be set for URLs with a Path starting with a single /(it exists entirely to handle this particular form of URL). url.Parse will never create a URL like the above. However, it's possible to manually construct one, and the results are surprising.

Perhaps we should escape the initial / in the path in this situation.

(This was reported to us as a potential vulnerability. We consider misbehavior in url.Parse to be a potential vulnerability, but not a user-constructed invalid url.URL such as the one above.)

[gabyhelp]

Related Issues

• net/url: add OmitHost bool to URL #46059 (closed)
• net/url: JoinPath doesn't strip relative path components in all circumstances #54385 (closed)
• net/url: URL.String can return invalid string if given invalid URL.Path #5927 (closed)
• net/url: Parse generates incorrect Path if hostname is empty #4189 (closed)
• net/url: no way to construct raw unqualified request URI starting with // #10433 (closed)
• net/url: pathologically silly URL parsing fails #54920 (closed)
• net/url: Parse thinks /// does not start an authority #46277
• net/url: malformed urls may lead to an "open redirect" vulnerability #38642 (closed)
• net/url: Parsing of absolute Windows filepaths without scheme #13276 (closed)
• net/url: Parse+String does not round trip magnet URLs #20054 (closed)

_{(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)}

[gopherbot]

Change https://go.dev/cl/758881 mentions this issue: net/url: escape // at start of Path when OmitHost set