diff --git a/3771.patch b/3771.patch new file mode 100644 index 0000000..d4d8eaf --- /dev/null +++ b/3771.patch @@ -0,0 +1,61 @@ +From f06492430e8f4a37136c746a29cffb7149beae08 Mon Sep 17 00:00:00 2001 +From: "brian m. carlson" +Date: Wed, 14 Aug 2019 14:49:48 +0000 +Subject: [PATCH] lfsapi: fix URL parsing with Go 1.12.8 + +Go 1.12.8 introduces a security fix for parsing URLs that contain a +colon followed by an invalid port number. Since our SSH remotes can +contain just such a colon, our hack to make these into URLs no longer +works. + +Fix this by replacing the first colon in these "URLs" with a slash, +which is a path delimiter, which makes them parsable by newer versions +of Go. Update the name of the function since it now does more than its +previous name implies. +--- + lfsapi/auth.go | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +diff --git a/lfsapi/auth.go b/lfsapi/auth.go +index 5a99a5b01..1de332e99 100644 +--- a/lfsapi/auth.go ++++ b/lfsapi/auth.go +@@ -192,7 +192,7 @@ func getCredURLForAPI(ef EndpointFinder, operation, remote string, apiEndpoint l + + if len(remote) > 0 { + if u := ef.GitRemoteURL(remote, operation == "upload"); u != "" { +- schemedUrl, _ := prependEmptySchemeIfAbsent(u) ++ schemedUrl, _ := fixSchemelessURL(u) + + gitRemoteURL, err := url.Parse(schemedUrl) + if err != nil { +@@ -214,12 +214,13 @@ func getCredURLForAPI(ef EndpointFinder, operation, remote string, apiEndpoint l + return apiURL, nil + } + +-// prependEmptySchemeIfAbsent prepends an empty scheme "//" if none was found in +-// the URL in order to satisfy RFC 3986 §3.3, and `net/url.Parse()`. ++// fixSchemelessURL prepends an empty scheme "//" if none was found in ++// the URL and replaces the first colon with a slash in order to satisfy RFC ++// 3986 §3.3, and `net/url.Parse()`. + // + // It returns a string parse-able with `net/url.Parse()` and a boolean whether + // or not an empty scheme was added. +-func prependEmptySchemeIfAbsent(u string) (string, bool) { ++func fixSchemelessURL(u string) (string, bool) { + if hasScheme(u) { + return u, false + } +@@ -231,7 +232,11 @@ func prependEmptySchemeIfAbsent(u string) (string, bool) { + // First path segment has a colon, assumed that it's a + // scheme-less URL. Append an empty scheme on top to + // satisfy RFC 3986 §3.3, and `net/url.Parse()`. +- return fmt.Sprintf("//%s", u), true ++ // ++ // In addition, replace the first colon with a slash since ++ // otherwise the colon looks like it's introducing a port ++ // number. ++ return fmt.Sprintf("//%s", strings.Replace(u, ":", "/", 1)), true + } + return u, true + } diff --git a/git-lfs.spec b/git-lfs.spec index dbe5e2d..c82b517 100644 --- a/git-lfs.spec +++ b/git-lfs.spec @@ -22,6 +22,7 @@ URL: https://git-lfs.github.io/ Source0: https://github.com/%{name}/%{name}/releases/download/v%{version}/%{name}-v%{version}.tar.gz # https://github.com/git-lfs/git-lfs/issues/3798 Patch0001: https://github.com/git-lfs/git-lfs/pull/3800.patch +Patch0002: https://github.com/git-lfs/git-lfs/pull/3771.patch BuildRequires: golang(github.com/git-lfs/gitobj) >= 1.3.1 BuildRequires: golang(github.com/git-lfs/gitobj/errors) >= 1.3.1 @@ -65,6 +66,7 @@ storing the file contents on a remote server. %goprep %patch0001 -p1 +%patch0002 -p1 # Modify Makefile so that it expects binaries where we build them. sed -i -e 's!\.\./bin/!/%{gobuilddir}/bin/!g' t/Makefile