Rebase to 1.10.1

Resolves: BZ#1562270
2018-04-04 10:10:28 +02:00 · 2018-04-04 10:10:28 +02:00 · 66a92c4de7
commit 66a92c4de7
parent 2389428bde
4 changed files with 9 additions and 132 deletions
--- a/.gitignore
+++ b/.gitignore
@ -50,3 +50,4 @@
 /go1.10rc1.src.tar.gz
 /go1.10rc2.src.tar.gz
 /go1.10.src.tar.gz
 /go1.10.1.src.tar.gz
--- a/CVE-2018-7187.patch
+++ b/CVE-2018-7187.patch
@ -1,124 +0,0 @@
 From c941e27e70c3e06e1011d2dd71d72a7a06a9bcbc Mon Sep 17 00:00:00 2001
 From: Ian Lance Taylor <iant@golang.org>
 Date: Thu, 15 Feb 2018 15:57:13 -0800
 Subject: [PATCH] cmd/go: restrict meta imports to valid schemes
 Before this change, when using -insecure, we permitted any meta import
 repo root as long as it contained "://". When not using -insecure, we
 restrict meta import repo roots to be valid URLs. People may depend on
 that somehow, so permit meta import repo roots to be invalid URLs, but
 require them to have valid schemes per RFC 3986.
 Fixes #23867
 Change-Id: Iac666dfc75ac321bf8639dda5b0dba7c8840922d
 Reviewed-on: https://go-review.googlesource.com/94603
 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
 ---
 src/cmd/go/internal/get/vcs.go      | 34 +++++++++++++++++++++++++++--
 src/cmd/go/internal/get/vcs_test.go | 43 +++++++++++++++++++++++++++++++++++++
 2 files changed, 75 insertions(+), 2 deletions(-)
 diff --git a/src/cmd/go/internal/get/vcs.go b/src/cmd/go/internal/get/vcs.go
 index ee6b16a1369..dced0ed8db5 100644
 --- a/src/cmd/go/internal/get/vcs.go
 +++ b/src/cmd/go/internal/get/vcs.go
@@ -809,8 +809,8 @@ func repoRootForImportDynamic(importPath string, security web.SecurityMode) (*re
 		}
 	}
 -	if !strings.Contains(mmi.RepoRoot, "://") {
 -		return nil, fmt.Errorf("%s: invalid repo root %q; no scheme", urlStr, mmi.RepoRoot)
 +	if err := validateRepoRootScheme(mmi.RepoRoot); err != nil {
 +		return nil, fmt.Errorf("%s: invalid repo root %q: %v", urlStr, mmi.RepoRoot, err)
 	}
 	rr := &repoRoot{
 		vcs:      vcsByCmd(mmi.VCS),
@@ -824,6 +824,36 @@ func repoRootForImportDynamic(importPath string, security web.SecurityMode) (*re
 	return rr, nil
 }
 +// validateRepoRootScheme returns an error if repoRoot does not seem
 +// to have a valid URL scheme. At this point we permit things that
 +// aren't valid URLs, although later, if not using -insecure, we will
 +// restrict repoRoots to be valid URLs. This is only because we've
 +// historically permitted them, and people may depend on that.
 +func validateRepoRootScheme(repoRoot string) error {
 +	end := strings.Index(repoRoot, "://")
 +	if end <= 0 {
 +		return errors.New("no scheme")
 +	}
 +
 +	// RFC 3986 section 3.1.
 +	for i := 0; i < end; i++ {
 +		c := repoRoot[i]
 +		switch {
 +		case 'a' <= c && c <= 'z' || 'A' <= c && c <= 'Z':
 +			// OK.
 +		case '0' <= c && c <= '9' || c == '+' || c == '-' || c == '.':
 +			// OK except at start.
 +			if i == 0 {
 +				return errors.New("invalid scheme")
 +			}
 +		default:
 +			return errors.New("invalid scheme")
 +		}
 +	}
 +
 +	return nil
 +}
 +
 var fetchGroup singleflight.Group
 var (
 	fetchCacheMu sync.Mutex
 diff --git a/src/cmd/go/internal/get/vcs_test.go b/src/cmd/go/internal/get/vcs_test.go
 index 2cb611fabd8..ece78b563ce 100644
 --- a/src/cmd/go/internal/get/vcs_test.go
 +++ b/src/cmd/go/internal/get/vcs_test.go
@@ -416,3 +416,46 @@ func TestMatchGoImport(t *testing.T) {
 		}
 	}
 }
 +
 +func TestValidateRepoRootScheme(t *testing.T) {
 +	tests := []struct {
 +		root string
 +		err  string
 +	}{
 +		{
 +			root: "",
 +			err:  "no scheme",
 +		},
 +		{
 +			root: "http://",
 +			err:  "",
 +		},
 +		{
 +			root: "a://",
 +			err:  "",
 +		},
 +		{
 +			root: "a#://",
 +			err:  "invalid scheme",
 +		},
 +		{
 +			root: "-config://",
 +			err:  "invalid scheme",
 +		},
 +	}
 +
 +	for _, test := range tests {
 +		err := validateRepoRootScheme(test.root)
 +		if err == nil {
 +			if test.err != "" {
 +				t.Errorf("validateRepoRootScheme(%q) = nil, want %q", test.root, test.err)
 +			}
 +		} else if test.err == "" {
 +			if err != nil {
 +				t.Errorf("validateRepoRootScheme(%q) = %q, want nil", test.root, test.err)
 +			}
 +		} else if err.Error() != test.err {
 +			t.Errorf("validateRepoRootScheme(%q) = %q, want %q", test.root, err, test.err)
 +		}
 +	}
 +}
--- a/golang.spec
+++ b/golang.spec
@ -102,11 +102,11 @@
 %endif
 %global go_api 1.10
-%global go_version 1.10
+%global go_version 1.10.1
 Name:           golang
-Version:        1.10
+Version:        1.10.1
-Release:        2%{?dist}
+Release:        1%{?dist}
 Summary:        The Go Programming Language
 # source tree includes several copies of Mark.Twain-Tom.Sawyer.txt under Public Domain
 License:        BSD and Public Domain
@ -185,8 +185,6 @@ Patch219: s390x-expose-IfInfomsg-X__ifi_pad.patch
 # Proposed patch by jcajka https://golang.org/cl/86541
 Patch221: golang-1.10-pkgconfig-fix.patch
 Patch222: CVE-2018-7187.patch
 # Having documentation separate was broken
 Obsoletes:      %{name}-docs < 1.1-4
@ -315,8 +313,6 @@ Requires:       %{name} = %{version}-%{release}
 %patch221 -p1
 %patch222 -p1
 cp %{SOURCE1} ./src/runtime/
 %build
@ -552,6 +548,10 @@ fi
 %endif
 %changelog
 * Wed Apr 04 2018 Jakub Čajka <jcajka@redhat.com> - 1.10.1-1
 - Rebase to 1.10.1
 - Resolves: BZ#1562270
 * Sat Mar 03 2018 Jakub Čajka <jcajka@redhat.com> - 1.10-2
 - Fix CVE-2018-7187
 - Resolves: BZ#1546386, BZ#1546388
--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (go1.10.src.tar.gz) = 59f089e1ffb2d3aba5ada329d4f0d1181c3c4f01fa64f19d0b753f8a989cb59cf290ad88d215cadc18ef99aba8518e44c9bc258c07eaffc834c55e4a37bd4651
+SHA512 (go1.10.1.src.tar.gz) = 13f6b0643a4f92eeca04444b9fa10de38fc3427daea9aa3227cf9a5738ffee1a3f2e355ba5faf711b8506f7de118bdcd3b9064b65407a22613523e29ffd73415
`@ -1 +1 @@`
	`SHA512 (go1.10.src.tar.gz) = 59f089e1ffb2d3aba5ada329d4f0d1181c3c4f01fa64f19d0b753f8a989cb59cf290ad88d215cadc18ef99aba8518e44c9bc258c07eaffc834c55e4a37bd4651`	`SHA512 (go1.10.1.src.tar.gz) = 13f6b0643a4f92eeca04444b9fa10de38fc3427daea9aa3227cf9a5738ffee1a3f2e355ba5faf711b8506f7de118bdcd3b9064b65407a22613523e29ffd73415`