[release-branch.go1.8] go1.8.4

Change-Id: Iae6c1ccd1e42656fa5a57d6367e43085143cd590 Reviewed-on: https://go-review.googlesource.com/68234 Reviewed-by: Russ Cox <rsc@golang.org>
[release-branch.go1.8] net/smtp: fix PlainAuth to refuse to send passwords to non-TLS servers
2026-02-06 02:45:06 +03:00 · 2017-10-04 18:39:32 +00:00 · 2017-10-04 18:19:06 +00:00 · 2017-10-04 18:15:44 +00:00 · 2017-10-04 18:04:50 +00:00 · 2017-10-04 17:03:14 +00:00
9 changed files with 129 additions and 29 deletions
--- a/2
+++ b/2
@@ -1 +1 @@
-go1.8.3
+go1.8.4
--- a/doc/install-source.html
+++ b/doc/install-source.html
@@ -143,7 +143,7 @@ packaged Go distribution.
 <p>
 To build a bootstrap tool chain from source, use
 either the git branch <code>release-branch.go1.4</code> or
-<a href="https://storage.googleapis.com/golang/go1.4-bootstrap-20161024.tar.gz">go1.4-bootstrap-20161024.tar.gz</a>,
+<a href="https://storage.googleapis.com/golang/go1.4-bootstrap-20170531.tar.gz">go1.4-bootstrap-20170531.tar.gz</a>,
 which contains the Go 1.4 source code plus accumulated fixes
 to keep the tools running on newer operating systems.
 (Go 1.4 was the last distribution in which the tool chain was written in C.)
--- a/src/cmd/go/get.go
+++ b/src/cmd/go/get.go
@@ -439,6 +439,11 @@ func downloadPackage(p *Package) error {
 		p.build.PkgRoot = filepath.Join(list[0], "pkg")
 	}
 	root := filepath.Join(p.build.SrcRoot, filepath.FromSlash(rootPath))
+
+	if err := checkNestedVCS(vcs, root, p.build.SrcRoot); err != nil {
+		return err
+	}
+
 	// If we've considered this repository already, don't do it again.
 	if downloadRootCache[root] {
 		return nil
--- a/src/cmd/go/go_test.go
+++ b/src/cmd/go/go_test.go
@@ -1273,6 +1273,25 @@ func TestGetGitDefaultBranch(t *testing.T) {
 	tg.grepStdout(`\* another-branch`, "not on correct default branch")
 }

+func TestAccidentalGitCheckout(t *testing.T) {
+	testenv.MustHaveExternalNetwork(t)
+	if _, err := exec.LookPath("git"); err != nil {
+		t.Skip("skipping because git binary not found")
+	}
+
+	tg := testgo(t)
+	defer tg.cleanup()
+	tg.parallel()
+	tg.tempDir("src")
+	tg.setenv("GOPATH", tg.path("."))
+
+	tg.runFail("get", "-u", "vcs-test.golang.org/go/test1-svn-git")
+	tg.grepStderr("src[\\\\/]vcs-test.* uses git, but parent .*src[\\\\/]vcs-test.* uses svn", "get did not fail for right reason")
+
+	tg.runFail("get", "-u", "vcs-test.golang.org/go/test2-svn-git/test2main")
+	tg.grepStderr("src[\\\\/]vcs-test.* uses git, but parent .*src[\\\\/]vcs-test.* uses svn", "get did not fail for right reason")
+}
+
 func TestErrorMessageForSyntaxErrorInTestGoFileSaysFAIL(t *testing.T) {
 	tg := testgo(t)
 	defer tg.cleanup()
--- a/src/cmd/go/vcs.go
+++ b/src/cmd/go/vcs.go
@@ -497,11 +497,28 @@ func vcsFromDir(dir, srcRoot string) (vcs *vcsCmd, root string, err error) {
 		return nil, "", fmt.Errorf("directory %q is outside source root %q", dir, srcRoot)
 	}

+	var vcsRet *vcsCmd
+	var rootRet string
+
 	origDir := dir
 	for len(dir) > len(srcRoot) {
 		for _, vcs := range vcsList {
 			if _, err := os.Stat(filepath.Join(dir, "."+vcs.cmd)); err == nil {
-				return vcs, filepath.ToSlash(dir[len(srcRoot)+1:]), nil
+				root := filepath.ToSlash(dir[len(srcRoot)+1:])
+				// Record first VCS we find, but keep looking,
+				// to detect mistakes like one kind of VCS inside another.
+				if vcsRet == nil {
+					vcsRet = vcs
+					rootRet = root
+					continue
+				}
+				// Allow .git inside .git, which can arise due to submodules.
+				if vcsRet == vcs && vcs.cmd == "git" {
+					continue
+				}
+				// Otherwise, we have one VCS inside a different VCS.
+				return nil, "", fmt.Errorf("directory %q uses %s, but parent %q uses %s",
+					filepath.Join(srcRoot, rootRet), vcsRet.cmd, filepath.Join(srcRoot, root), vcs.cmd)
 			}
 		}

@@ -514,9 +531,48 @@ func vcsFromDir(dir, srcRoot string) (vcs *vcsCmd, root string, err error) {
 		dir = ndir
 	}

+	if vcsRet != nil {
+		return vcsRet, rootRet, nil
+	}
+
 	return nil, "", fmt.Errorf("directory %q is not using a known version control system", origDir)
 }

+// checkNestedVCS checks for an incorrectly-nested VCS-inside-VCS
+// situation for dir, checking parents up until srcRoot.
+func checkNestedVCS(vcs *vcsCmd, dir, srcRoot string) error {
+	if len(dir) <= len(srcRoot) || dir[len(srcRoot)] != filepath.Separator {
+		return fmt.Errorf("directory %q is outside source root %q", dir, srcRoot)
+	}
+
+	otherDir := dir
+	for len(otherDir) > len(srcRoot) {
+		for _, otherVCS := range vcsList {
+			if _, err := os.Stat(filepath.Join(dir, "."+otherVCS.cmd)); err == nil {
+				// Allow expected vcs in original dir.
+				if otherDir == dir && otherVCS == vcs {
+					continue
+				}
+				// Allow .git inside .git, which can arise due to submodules.
+				if otherVCS == vcs && vcs.cmd == "git" {
+					continue
+				}
+				// Otherwise, we have one VCS inside a different VCS.
+				return fmt.Errorf("directory %q uses %s, but parent %q uses %s", dir, vcs.cmd, otherDir, otherVCS.cmd)
+			}
+		}
+		// Move to parent.
+		newDir := filepath.Dir(otherDir)
+		if len(newDir) >= len(otherDir) {
+			// Shouldn't happen, but just in case, stop.
+			break
+		}
+		otherDir = newDir
+	}
+
+	return nil
+}
+
 // repoRoot represents a version control system, a repo, and a root of
 // where to put it on disk.
 type repoRoot struct {
--- a/src/net/smtp/auth.go
+++ b/src/net/smtp/auth.go
@@ -44,26 +44,29 @@ type plainAuth struct {
 }

 // PlainAuth returns an Auth that implements the PLAIN authentication
-// mechanism as defined in RFC 4616.
-// The returned Auth uses the given username and password to authenticate
-// on TLS connections to host and act as identity. Usually identity will be
-// left blank to act as username.
+// mechanism as defined in RFC 4616. The returned Auth uses the given
+// username and password to authenticate to host and act as identity.
+// Usually identity should be the empty string, to act as username.
+//
+// PlainAuth will only send the credentials if the connection is using TLS
+// or is connected to localhost. Otherwise authentication will fail with an
+// error, without sending the credentials.
 func PlainAuth(identity, username, password, host string) Auth {
 	return &plainAuth{identity, username, password, host}
 }

+func isLocalhost(name string) bool {
+	return name == "localhost" || name == "127.0.0.1" || name == "::1"
+}
+
 func (a *plainAuth) Start(server *ServerInfo) (string, []byte, error) {
-	if !server.TLS {
-		advertised := false
-		for _, mechanism := range server.Auth {
-			if mechanism == "PLAIN" {
-				advertised = true
-				break
-			}
-		}
-		if !advertised {
-			return "", nil, errors.New("unencrypted connection")
-		}
+	// Must have TLS, or else localhost server.
+	// Note: If TLS is not true, then we can't trust ANYTHING in ServerInfo.
+	// In particular, it doesn't matter if the server advertises PLAIN auth.
+	// That might just be the attacker saying
+	// "it's ok, you can trust me with your password."
+	if !server.TLS && !isLocalhost(server.Name) {
+		return "", nil, errors.New("unencrypted connection")
 	}
 	if server.Name != a.host {
 		return "", nil, errors.New("wrong host name")
--- a/src/net/smtp/smtp_test.go
+++ b/src/net/smtp/smtp_test.go
@@ -60,29 +60,41 @@ testLoop:
 }

 func TestAuthPlain(t *testing.T) {
-	auth := PlainAuth("foo", "bar", "baz", "servername")

 	tests := []struct {
-		server *ServerInfo
-		err    string
+		authName string
+		server   *ServerInfo
+		err      string
 	}{
 		{
-			server: &ServerInfo{Name: "servername", TLS: true},
+			authName: "servername",
+			server:   &ServerInfo{Name: "servername", TLS: true},
 		},
 		{
-			// Okay; explicitly advertised by server.
-			server: &ServerInfo{Name: "servername", Auth: []string{"PLAIN"}},
+			// OK to use PlainAuth on localhost without TLS
+			authName: "localhost",
+			server:   &ServerInfo{Name: "localhost", TLS: false},
 		},
 		{
-			server: &ServerInfo{Name: "servername", Auth: []string{"CRAM-MD5"}},
-			err:    "unencrypted connection",
+			// NOT OK on non-localhost, even if server says PLAIN is OK.
+			// (We don't know that the server is the real server.)
+			authName: "servername",
+			server:   &ServerInfo{Name: "servername", Auth: []string{"PLAIN"}},
+			err:      "unencrypted connection",
 		},
 		{
-			server: &ServerInfo{Name: "attacker", TLS: true},
-			err:    "wrong host name",
+			authName: "servername",
+			server:   &ServerInfo{Name: "servername", Auth: []string{"CRAM-MD5"}},
+			err:      "unencrypted connection",
+		},
+		{
+			authName: "servername",
+			server:   &ServerInfo{Name: "attacker", TLS: true},
+			err:      "wrong host name",
 		},
 	}
 	for i, tt := range tests {
+		auth := PlainAuth("foo", "bar", "baz", tt.authName)
 		_, _, err := auth.Start(tt.server)
 		got := ""
 		if err != nil {
--- a/src/os/os_windows_test.go
+++ b/src/os/os_windows_test.go
@@ -404,6 +404,8 @@ func TestDirectorySymbolicLink(t *testing.T) {
 func TestNetworkSymbolicLink(t *testing.T) {
 	testenv.MustHaveSymlink(t)

+	const _NERR_ServerNotStarted = syscall.Errno(2114)
+
 	dir, err := ioutil.TempDir("", "TestNetworkSymbolicLink")
 	if err != nil {
 		t.Fatal(err)
@@ -454,6 +456,9 @@ func TestNetworkSymbolicLink(t *testing.T) {
 		if err == syscall.ERROR_ACCESS_DENIED {
 			t.Skip("you don't have enough privileges to add network share")
 		}
+		if err == _NERR_ServerNotStarted {
+			t.Skip(_NERR_ServerNotStarted.Error())
+		}
 		t.Fatal(err)
 	}
 	defer func() {
--- a/src/runtime/gc_test.go
+++ b/src/runtime/gc_test.go
@@ -169,7 +169,7 @@ func TestPeriodicGC(t *testing.T) {
 	// slack if things are slow.
 	var numGCs uint32
 	const want = 2
-	for i := 0; i < 20 && numGCs < want; i++ {
+	for i := 0; i < 200 && numGCs < want; i++ {
 		time.Sleep(5 * time.Millisecond)

 		// Test that periodic GC actually happened.
Author	SHA1	Message	Date
Chris Broadfoot	f5bcb9b8fe	[release-branch.go1.8] go1.8.4 Change-Id: Iae6c1ccd1e42656fa5a57d6367e43085143cd590 Reviewed-on: https://go-review.googlesource.com/68234 Reviewed-by: Russ Cox <rsc@golang.org>	2017-10-04 18:39:32 +00:00
Russ Cox	4be3fc33ef	[release-branch.go1.8] net/smtp: fix PlainAuth to refuse to send passwords to non-TLS servers PlainAuth originally refused to send passwords to non-TLS servers and was documented as such. In 2013, issue #5184 was filed objecting to the TLS requirement, despite the fact that it is spelled out clearly in RFC 4954. The only possibly legitimate use case raised was using PLAIN auth for connections to localhost, and the suggested fix was to let the server decide: if it advertises that PLAIN auth is OK, believe it. That approach was adopted in CL 8279043 and released in Go 1.1. Unfortunately, this is exactly wrong. The whole point of the TLS requirement is to make sure not to send the password to the wrong server or to a man-in-the-middle. Instead of implementing this rule, CL 8279043 blindly trusts the server, so that if a man-in-the-middle says "it's OK, you can send me your password," PlainAuth does. And the documentation was not updated to reflect any of this. This CL restores the original TLS check, as required by RFC 4954 and as promised in the documentation for PlainAuth. It then carves out a documented exception for connections made to localhost (defined as "localhost", "127.0.0.1", or "::1"). Cherry-pick of CL 68170. Change-Id: I1d3729bbd33aa2f11a03f4c000e6bb473164957b Reviewed-on: https://go-review.googlesource.com/68023 Run-TryBot: Russ Cox <rsc@golang.org> Reviewed-by: Chris Broadfoot <cbro@golang.org>	2017-10-04 18:19:06 +00:00
Russ Cox	a4544a0f8a	[release-branch.go1.8] cmd/go: reject update of VCS inside VCS Cherry-pick of CL 68110. Change-Id: Iae84c6404ab5eeb6950faa2364f97a017c67c506 Reviewed-on: https://go-review.googlesource.com/68190 Run-TryBot: Russ Cox <rsc@golang.org> Reviewed-by: Chris Broadfoot <cbro@golang.org>	2017-10-04 18:15:44 +00:00
Russ Cox	9d1d78c34c	[release-branch.go1.8] runtime: deflake TestPeriodicGC It was only waiting 0.1 seconds for the two GCs it wanted. Let it wait 1 second. Change-Id: Ib3cdc8127cbf95694a9f173643c02529a85063af Reviewed-on: https://go-review.googlesource.com/68150 Run-TryBot: Russ Cox <rsc@golang.org> Reviewed-by: Chris Broadfoot <cbro@golang.org> Reviewed-by: Austin Clements <austin@google.com>	2017-10-04 18:04:50 +00:00
Alex Brainman	d45b26b1b7	[release-branch.go1.8] os: skip TestNetworkSymbolicLink if Server service is not started Fixes #20179 Change-Id: I2b405c9a212a75aae628ad51885616d33c054191 Reviewed-on: https://go-review.googlesource.com/42190 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-on: https://go-review.googlesource.com/68030 Run-TryBot: Chris Broadfoot <cbro@golang.org> Reviewed-by: Alex Brainman <alex.brainman@gmail.com> Reviewed-by: Ian Lance Taylor <iant@golang.org>	2017-10-04 17:03:14 +00:00
Chris Broadfoot	f3e6216450	[release-branch.go1.8] doc: update bootstrap archive URL This includes the patch for systems that build PIE executables by defaul Updates #20276. Change-Id: Iecf8dfcf11bc18d397b8075559c37e3610f825cb Reviewed-on: https://go-review.googlesource.com/44470 Reviewed-by: Ian Lance Taylor <iant@golang.org> Reviewed-on: https://go-review.googlesource.com/44491 Reviewed-by: Chris Broadfoot <cbro@golang.org>	2017-05-31 21:06:00 +00:00