]> Cypherpunks repositories - gostls13.git/commitdiff
projects / gostls13.git / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 8bde43e)
cmd/go/internal/modfetch/codehost: disable fetch of server-resolved commit hash
authorRuss Cox <rsc@golang.org>
Tue, 30 Apr 2019 17:07:05 +0000 (13:07 -0400)
committerRuss Cox <rsc@golang.org>
Tue, 30 Apr 2019 20:22:30 +0000 (20:22 +0000)
We cannot rely on the server to filter out the refs we don't want
(we only want refs/heads/* and refs/tags/*), so do not give it
the full hash.

Fixes #31191.

Change-Id: If1208c35954228aa6e8734f8d5f1725d0ec79c87
Reviewed-on: https://go-review.googlesource.com/c/go/+/174517
Run-TryBot: Russ Cox <rsc@golang.org>
Reviewed-by: Bryan C. Mills <bcmills@google.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>

src/cmd/go/internal/modfetch/codehost/git.go patch | blob | history
src/cmd/go/testdata/script/mod_get_hash.txt [new file with mode: 0644] patch | blob

diff --git a/src/cmd/go/internal/modfetch/codehost/git.go b/src/cmd/go/internal/modfetch/codehost/git.go
index 2cb6637aae8f3fe6fa661b6860543b8b7be957d7..5273e633b5c6c5b70f75491b65ce77f8a79a1da8 100644 (file)
--- a/src/cmd/go/internal/modfetch/codehost/git.go
+++ b/src/cmd/go/internal/modfetch/codehost/git.go
@@ -32,7 +32,7 @@ func LocalGitRepo(remote string) (Repo, error) {
        return newGitRepoCached(remote, true)
 }
 
-const gitWorkDirType = "git2"
+const gitWorkDirType = "git3"
 
 var gitRepoCache par.Cache
 
@@ -339,8 +339,14 @@ func (r *gitRepo) stat(rev string) (*RevInfo, error) {
                }
        }
 
-       // If we know a specific commit we need, fetch it.
-       if r.fetchLevel <= fetchSome && hash != "" && !r.local {
+       // If we know a specific commit we need and its ref, fetch it.
+       // We do NOT fetch arbitrary hashes (when we don't know the ref)
+       // because we want to avoid ever importing a commit that isn't
+       // reachable from refs/tags/* or refs/heads/* or HEAD.
+       // Both Gerrit and GitHub expose every CL/PR as a named ref,
+       // and we don't want those commits masquerading as being real
+       // pseudo-versions in the main repo.
+       if r.fetchLevel <= fetchSome && ref != "" && hash != "" && !r.local {
                r.fetchLevel = fetchSome
                var refspec string
                if ref != "" && ref != "HEAD" {
diff --git a/src/cmd/go/testdata/script/mod_get_hash.txt b/src/cmd/go/testdata/script/mod_get_hash.txt
new file mode 100644 (file)
index 0000000..d35ad36
--- /dev/null
+++ b/src/cmd/go/testdata/script/mod_get_hash.txt
@@ -0,0 +1,19 @@
+env GO111MODULE=on
+env GOPROXY=direct
+env GOSUMDB=off
+[!net] skip
+
+# fetch commit hash reachable from refs/heads/* and refs/tags/* is OK
+go list -m golang.org/x/time@8be79e1e0910c292df4e79c241bb7e8f7e725959 # on master branch
+
+# fetch other commit hash, even with a non-standard ref, is not OK
+! go list -m golang.org/x/time@334d83c35137ac2b376c1dc3e4c7733791855a3a # refs/changes/24/41624/3
+stderr 'unknown revision'
+! go list -m golang.org/x/time@v0.0.0-20170424233410-334d83c35137
+stderr 'unknown revision'
+! go list -m golang.org/x/time@334d83c35137
+stderr 'unknown revision'
+
+-- go.mod --
+module m
+
Go GOST TLS 1.3