Cypherpunks repositories - gostls13.git/commit

author	Roland Shoemaker <bracewell@google.com>
	Mon, 9 Jun 2025 18:23:46 +0000 (11:23 -0700)
committer	Carlos Amedee <carlos@golang.org>
	Tue, 8 Jul 2025 16:29:10 +0000 (09:29 -0700)
commit	e9d2c032b14c17083be0f8f0c822565199d2994f
tree	b64a7dbc5e72e65ccd3ca1f04dc5017b318afcea	tree
parent	e919b332534b520da300ecc84330dfaeede7669d	commit \| diff

[release-branch.go1.23] cmd/go: disable support for multiple vcs in one module

Removes the somewhat redundant vcs.FromDir, "allowNesting" argument,
which was always enabled, and disallow multiple VCS metadata folders
being present in a single directory. This makes VCS injection attacks
much more difficult.

Also adds a GODEBUG, allowmultiplevcs, which re-enables this behavior.

Thanks to RyotaK (https://ryotak.net) of GMO Flatt Security Inc for
reporting this issue.

Updates #74380
Fixes #74382
Fixes CVE-2025-4674

Change-Id: I2db79f2baacfacfec331ee7c6978c4057d483eba
Reviewed-on: https://go-review.googlesource.com/c/go/+/686337
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: David Chase <drchase@google.com>
Reviewed-by: Carlos Amedee <carlos@golang.org>
Commit-Queue: Carlos Amedee <carlos@golang.org>

doc/godebug.md		diff \| blob \| history
src/cmd/go/internal/load/pkg.go		diff \| blob \| history
src/cmd/go/internal/vcs/vcs.go		diff \| blob \| history
src/cmd/go/internal/vcs/vcs_test.go		diff \| blob \| history
src/cmd/go/testdata/script/test_multivcs.txt	[new file with mode: 0644]	blob
src/cmd/go/testdata/script/version_buildvcs_nested.txt		diff \| blob \| history
src/internal/godebugs/godebugs_test.go		diff \| blob \| history
src/internal/godebugs/table.go		diff \| blob \| history
src/runtime/metrics/doc.go		diff \| blob \| history