代码拉取完成,页面将自动刷新
同步操作将从 src-openEuler/golang 强制同步,此操作会覆盖自 Fork 仓库以来所做的任何修改,且无法恢复!!!
确定后同步将在后台操作,完成时将刷新页面,请耐心等待。
From 558cbc498c70278bea8297272f2d4fc50d67893b Mon Sep 17 00:00:00 2001
From: "Bryan C. Mills" <bcmills@google.com>
Date: Thu, 2 Nov 2023 15:06:35 -0400
Subject: [PATCH] [Backport] cmd/go/internal/vcs: error out if the requested
repo does not support a secure protocol
CVE: CVE-2023-45285
Reference: https://go-review.googlesource.com/c/go/+/540335
Updates #63845.
Fixes #63972.
Change-Id: If86d6b13d3b55877b35c087112bd76388c9404b8
Reviewed-on: https://go-review.googlesource.com/c/go/+/539321
Reviewed-by: Michael Matloob <matloob@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Auto-Submit: Bryan Mills <bcmills@google.com>
(cherry picked from commit be26ae18caf7ddffca4073333f80d0d9e76483c3)
Reviewed-on: https://go-review.googlesource.com/c/go/+/540335
Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Signed-off-by: wangbingyao 00557526 <wangbingyao5@huawei.com>
---
src/cmd/go/internal/vcs/vcs.go | 25 +++++++++++++----
.../script/mod_insecure_issue63845.txt | 28 +++++++++++++++++++
2 files changed, 47 insertions(+), 6 deletions(-)
create mode 100644 src/cmd/go/testdata/script/mod_insecure_issue63845.txt
diff --git a/src/cmd/go/internal/vcs/vcs.go b/src/cmd/go/internal/vcs/vcs.go
index c65dd0f624..dbf16d1de7 100644
--- a/src/cmd/go/internal/vcs/vcs.go
+++ b/src/cmd/go/internal/vcs/vcs.go
@@ -1204,18 +1204,31 @@ func repoRootFromVCSPaths(importPath string, security web.SecurityMode, vcsPaths
var ok bool
repoURL, ok = interceptVCSTest(repo, vcs, security)
if !ok {
- scheme := vcs.Scheme[0] // default to first scheme
- if vcs.PingCmd != "" {
- // If we know how to test schemes, scan to find one.
+ scheme, err := func() (string, error) {
for _, s := range vcs.Scheme {
if security == web.SecureOnly && !vcs.isSecureScheme(s) {
continue
}
- if vcs.Ping(s, repo) == nil {
- scheme = s
- break
+
+ // If we know how to ping URL schemes for this VCS,
+ // check that this repo works.
+ // Otherwise, default to the first scheme
+ // that meets the requested security level.
+ if vcs.PingCmd == "" {
+ return s, nil
+ }
+ if err := vcs.Ping(s, repo); err == nil {
+ return s, nil
}
}
+ securityFrag := ""
+ if security == web.SecureOnly {
+ securityFrag = "secure "
+ }
+ return "", fmt.Errorf("no %sprotocol found for repository", securityFrag)
+ }()
+ if err != nil {
+ return nil, err
}
repoURL = scheme + "://" + repo
}
diff --git a/src/cmd/go/testdata/script/mod_insecure_issue63845.txt b/src/cmd/go/testdata/script/mod_insecure_issue63845.txt
new file mode 100644
index 0000000000..5fa6a4f12b
--- /dev/null
+++ b/src/cmd/go/testdata/script/mod_insecure_issue63845.txt
@@ -0,0 +1,28 @@
+# Regression test for https://go.dev/issue/63845:
+# If 'git ls-remote' fails for all secure protocols,
+# we should fail instead of falling back to an arbitrary protocol.
+#
+# Note that this test does not use the local vcweb test server
+# (vcs-test.golang.org), because the hook for redirecting to that
+# server bypasses the "ping to determine protocol" logic
+# in cmd/go/internal/vcs.
+
+[!net] skip
+[!git] skip
+[short] skip 'tries to access a nonexistent external Git repo'
+
+env GOPRIVATE=golang.org
+env CURLOPT_TIMEOUT_MS=100
+env GIT_SSH_COMMAND=false
+
+! go get -x golang.org/nonexist.git@latest
+stderr '^git ls-remote https://golang.org/nonexist$'
+stderr '^git ls-remote git\+ssh://golang.org/nonexist'
+stderr '^git ls-remote ssh://golang.org/nonexist$'
+! stderr 'git://'
+stderr '^go: golang.org/nonexist.git@latest: no secure protocol found for repository$'
+
+-- go.mod --
+module example
+
+go 1.19
--
2.33.0
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。
马建仓 AI 助手