]> Cypherpunks repositories - gostls13.git/commit
projects / gostls13.git / commit
summary | shortlog | log | commit | commitdiff | tree
(parent: 2c4733c) | patch
[release-branch.go1.24] cmd/go: update VCS commands to use safer flag/argument syntax
authorRoland Shoemaker <bracewell@google.com>
Wed, 10 Dec 2025 13:13:07 +0000 (08:13 -0500)
committerGopher Robot <gobot@golang.org>
Wed, 28 Jan 2026 21:58:41 +0000 (13:58 -0800)
commit73fe85f0ea1bf2cec8e9a89bf5645de06ecaa0a6
tree36107bb82cc60132231036d76518b1cc4dfccef6tree
parent2c4733c60978fc7a01d75cbcb3f99a1201687e7bcommit | diff
[release-branch.go1.24] cmd/go: update VCS commands to use safer flag/argument syntax

In various situations, the toolchain invokes VCS commands. Some of these
commands take arbitrary input, either provided by users or fetched from
external sources. To prevent potential command injection vulnerabilities
or misinterpretation of arguments as flags, this change updates the VCS
commands to use various techniques to separate flags from positional
arguments, and to directly associate flags with their values.

Additionally, we update the environment variable for Mercurial to use
`HGPLAIN=+strictflags`, which is the more explicit way to disable user
configurations (intended or otherwise) that might interfere with command
execution.

We also now disallow version strings from being prefixed with '-' or
'/', as doing so opens us up to making the same mistake again in the
future. As far as we know there are currently ~0 public modules affected
by this.

While I was working on cmd/go/internal/vcs, I also noticed that a
significant portion of the commands being implemented were dead code.
In order to reduce the maintenance burden and surface area for potential
issues, I removed the dead code for unused commands.

We should probably follow up with a more structured change to make it
harder to accidentally re-introduce these issues in the future, but for
now this addresses the issue at hand.

Thanks to splitline (@splitline) from DEVCORE Research Team for
reporting this issue.

Fixes CVE-2025-68119
Updates #77099
Fixes #77103

Change-Id: I9d9f4ee05b95be49fe14edf71a1b8e6c0784378e
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3260
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Nicholas Husin <husin@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/736710
Auto-Submit: Michael Pratt <mpratt@google.com>
Reviewed-by: Junyang Shao <shaojunyang@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
(cherry picked from commit 94a1296a457387d1fd6eca1a9bcd44e89bdd9d55)
Reviewed-on: https://go-review.googlesource.com/c/go/+/739421
Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
src/cmd/go/internal/modcmd/edit.go diff | blob | history
src/cmd/go/internal/modfetch/codehost/git.go diff | blob | history
src/cmd/go/internal/modfetch/codehost/vcs.go diff | blob | history
src/cmd/go/internal/modget/query.go diff | blob | history
src/cmd/go/internal/modload/build.go diff | blob | history
src/cmd/go/internal/modload/list.go diff | blob | history
src/cmd/go/internal/toolchain/select.go diff | blob | history
src/cmd/go/internal/vcs/vcs.go diff | blob | history
src/cmd/go/internal/workcmd/edit.go diff | blob | history
Go GOST TLS 1.3