Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cmd/go: directory traversal in "go get" via curly braces in import paths [Go 1.11] #29235

Closed
FiloSottile opened this issue Dec 13, 2018 · 3 comments
Closed

cmd/go: directory traversal in "go get" via curly braces in import paths [Go 1.11] #29235

FiloSottile opened this issue Dec 13, 2018 · 3 comments
Labels
CherryPickApproved Used during the release process for point releases FrozenDueToAge Security
Milestone
Go1.11.3

Comments

@FiloSottile
Copy link
Contributor

This is a tracking issue for #29231, a security vulnerability fixed in Go 1.11.3.
@FiloSottile FiloSottile added this to the Go1.11.3 milestone Dec 13, 2018
@FiloSottile FiloSottile changed the title cmd/go: directory traversal via curly braces in import paths [Go 1.11] cmd/go: directory traversal in "go get" via curly braces in import paths [Go 1.11] Dec 13, 2018
@tomislavmitic2012
Copy link

@FiloSottile You have just broken every one that uses packages such as gobuffalo/pop/ which were gotten previously with go get github.com/gobuffalo/pop/... the only way to fix it is to downgrade to go 1.11.2. How go you suggest we proceed.

@tomislavmitic2012
Copy link

Breaking change is here, this totally needs to be reverted 8954add#diff-5b11f198c631a3d489e1be171853ab7bR40

@FiloSottile
Copy link
Contributor Author

We know it's broken, see #29241. You can run go get -d github.com/gobuffalo/pop && go get github.com/gobuffalo/pop/... instead for now. We are not reverting a security fix, but will fix the regression in the upcoming minor release.

@golang golang locked and limited conversation to collaborators Dec 14, 2019
@FiloSottile FiloSottile added the CherryPickApproved Used during the release process for point releases label Aug 20, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
CherryPickApproved Used during the release process for point releases FrozenDueToAge Security
Projects
None yet
Milestone
Go1.11.3
Development

No branches or pull requests
3 participants
@tomislavmitic2012 @FiloSottile @gopherbot