projects / golang-1.7.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 067e18d) | patch
cmd/go: restrict meta imports to valid schemes
authorIan Lance Taylor <iant@golang.org>
Thu, 15 Feb 2018 23:57:13 +0000 (15:57 -0800)
committerDr. Tobias Quathamer <toddy@debian.org>
Mon, 28 Jan 2019 21:24:55 +0000 (21:24 +0000)
commitcf5bc721b16ca1cfc6595db635699ab7072c7338
treebf33ba537918189e8604ec36a380157cf3c9fef3tree | snapshot
parent067e18d2b7896a73425b5d63a8fb97bb0b7c655dcommit | diff
cmd/go: restrict meta imports to valid schemes

Before this change, when using -insecure, we permitted any meta import
repo root as long as it contained "://". When not using -insecure, we
restrict meta import repo roots to be valid URLs. People may depend on
that somehow, so permit meta import repo roots to be invalid URLs, but
require them to have valid schemes per RFC 3986.

Fixes #23867

Change-Id: Iac666dfc75ac321bf8639dda5b0dba7c8840922d
Reviewed-on: https://go-review.googlesource.com/94603
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Gbp-Pq: Name cve-2018-7187.patch
src/cmd/go/vcs.go diff | blob | history
src/cmd/go/vcs_test.go diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.