Cypherpunks repositories - gostls13.git/commit

author	Roland Shoemaker <bracewell@google.com>
	Mon, 9 Jun 2025 18:23:46 +0000 (11:23 -0700)
committer	Carlos Amedee <carlos@golang.org>
	Tue, 8 Jul 2025 16:29:29 +0000 (09:29 -0700)
commit	825eeee3f789a11231ce23a4836c74ec5e34bf2a
tree	45d334e8466a7cbc4839f4b504b6ff7ac8afbb7f	tree
parent	dbf30d88f3b8c8129fb0978dda7452cc931b75d6	commit \| diff

[release-branch.go1.24] cmd/go: disable support for multiple vcs in one module

Removes the somewhat redundant vcs.FromDir, "allowNesting" argument,
which was always enabled, and disallow multiple VCS metadata folders
being present in a single directory. This makes VCS injection attacks
much more difficult.

Also adds a GODEBUG, allowmultiplevcs, which re-enables this behavior.

Thanks to RyotaK (https://ryotak.net) of GMO Flatt Security Inc for
reporting this issue.

Updates #74380
Fixes #74381
Fixes CVE-2025-4674

Change-Id: I6c7925b034d60b80d7698cca677b00bdcc67f24e
Reviewed-on: https://go-review.googlesource.com/c/go/+/686395
Reviewed-by: David Chase <drchase@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Carlos Amedee <carlos@golang.org>
Commit-Queue: Carlos Amedee <carlos@golang.org>

doc/godebug.md		diff \| blob \| history
src/cmd/go/internal/load/pkg.go		diff \| blob \| history
src/cmd/go/internal/modfetch/repo.go		diff \| blob \| history
src/cmd/go/internal/vcs/vcs.go		diff \| blob \| history
src/cmd/go/internal/vcs/vcs_test.go		diff \| blob \| history
src/cmd/go/testdata/script/test_multivcs.txt	[new file with mode: 0644]	blob
src/cmd/go/testdata/script/version_buildvcs_nested.txt		diff \| blob \| history
src/internal/godebugs/godebugs_test.go		diff \| blob \| history
src/internal/godebugs/table.go		diff \| blob \| history
src/runtime/metrics/doc.go		diff \| blob \| history