tg.run("get", "./pprof_mac_fix")
}
-// Issue 13037: Was not parsing <meta> tags in 404 served over HTTPS
-func TestGoGetHTTPS404(t *testing.T) {
- testenv.MustHaveExternalNetwork(t)
- switch runtime.GOOS {
- case "darwin", "linux", "freebsd":
- default:
- t.Skipf("test case does not work on %s", runtime.GOOS)
- }
-
- tg := testgo(t)
- defer tg.cleanup()
- tg.tempDir("src")
- tg.setenv("GOPATH", tg.path("."))
- tg.run("get", "bazil.org/fuse/fs/fstestutil")
-}
-
// Test that you cannot import a main package.
// See golang.org/issue/4210 and golang.org/issue/17475.
func TestImportMain(t *testing.T) {
"cmd/internal/browser"
)
-// httpClient is the default HTTP client, but a variable so it can be
-// changed by tests, without modifying http.DefaultClient.
-var httpClient = http.DefaultClient
-
// impatientInsecureHTTPClient is used in -insecure mode,
// when we're connecting to https servers that might not be there
// or might be using self-signed certificates.
},
}
+// securityPreservingHTTPClient is like the default HTTP client, but rejects
+// redirects to plain-HTTP URLs if the original URL was secure.
+var securityPreservingHTTPClient = &http.Client{
+ CheckRedirect: func(req *http.Request, via []*http.Request) error {
+ if len(via) > 0 && via[0].URL.Scheme == "https" && req.URL.Scheme != "https" {
+ lastHop := via[len(via)-1].URL
+ return fmt.Errorf("redirected from secure URL %s to insecure URL %s", lastHop, req.URL)
+ }
+ return nil
+ },
+}
+
type HTTPError struct {
status string
StatusCode int
// Get returns the data from an HTTP GET request for the given URL.
func Get(url string) ([]byte, error) {
- resp, err := httpClient.Get(url)
+ resp, err := securityPreservingHTTPClient.Get(url)
if err != nil {
return nil, err
}
if security == Insecure && scheme == "https" { // fail earlier
res, err = impatientInsecureHTTPClient.Get(urlStr)
} else {
- res, err = httpClient.Get(urlStr)
+ res, err = securityPreservingHTTPClient.Get(urlStr)
}
return
}
--- /dev/null
+# golang.org/issue/13037: 'go get' was not parsing <meta> tags in 404 served over HTTPS.
+# golang.org/issue/29591: 'go get' was following plain-HTTP redirects even without -insecure.
+
+[!net] skip
+
+env GOPROXY=
+
+! go get -d vcs-test.golang.org/insecure/go/insecure
+stderr 'redirected .* to insecure URL'
+
+go get -d -insecure vcs-test.golang.org/insecure/go/insecure