projects / golang-1.7.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: f16da52) | patch
[PATCH] cmd/go: restrict meta imports to valid schemes
authorIan Lance Taylor <iant@golang.org>
Thu, 15 Feb 2018 23:57:13 +0000 (15:57 -0800)
committerThorsten Alteholz <debian@alteholz.de>
Fri, 20 Nov 2020 16:03:02 +0000 (16:03 +0000)
commitf80e252121b1d4ba79b477a76c9adc2e64628b48
tree629b0388c557eaf189ee792e2fb437b048dd9c3etree | snapshot
parentf16da520029e080562f839d2666c0f9774fdf90ccommit | diff
[PATCH] cmd/go: restrict meta imports to valid schemes

Before this change, when using -insecure, we permitted any meta import
repo root as long as it contained "://". When not using -insecure, we
restrict meta import repo roots to be valid URLs. People may depend on
that somehow, so permit meta import repo roots to be invalid URLs, but
require them to have valid schemes per RFC 3986.

Fixes #23867

Change-Id: Iac666dfc75ac321bf8639dda5b0dba7c8840922d
Reviewed-on: https://go-review.googlesource.com/94603
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Gbp-Pq: Name cve-2018-7187.patch
src/cmd/go/vcs.go diff | blob | history
src/cmd/go/vcs_test.go diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.