Cypherpunks repositories - gostls13.git/commit

author	Bryan C. Mills <bcmills@google.com>
	Tue, 8 Jan 2019 15:34:16 +0000 (10:34 -0500)
committer	Bryan C. Mills <bcmills@google.com>
	Wed, 3 Apr 2019 20:39:58 +0000 (20:39 +0000)
commit	e9d12739976cbc25deb9226db25897c4824a8684
tree	ee1e72d3d3d92058785c02d8c49213ef4a059daf	tree
parent	a8b4bee683cbb54601bccefbfc28f95aa4340526	commit \| diff

cmd/go/internal/web: reject insecure redirects from secure origins

We rely on SSL certificates to verify the identity of origin servers.
If an HTTPS server redirects through a plain-HTTP URL, that hop can be
compromised. We should allow it only if the user set the -insecure
flag explicitly.

Fixes #29591

Change-Id: I00639541cca2ca034c01c464385a43b3aa8ee84f
Reviewed-on: https://go-review.googlesource.com/c/go/+/156838
Run-TryBot: Bryan C. Mills <bcmills@google.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>

src/cmd/go/go_test.go		diff \| blob \| history
src/cmd/go/internal/web/http.go		diff \| blob \| history
src/cmd/go/testdata/script/get_insecure_redirect.txt	[new file with mode: 0644]	blob