Cypherpunks repositories - gostls13.git/commit

author	Sam Thanawalla <samthanawalla@google.com>
	Wed, 8 Jan 2025 20:38:32 +0000 (20:38 +0000)
committer	Gopher Robot <gobot@golang.org>
	Thu, 16 Jan 2025 19:01:32 +0000 (11:01 -0800)
commit	139d6eedae38f9e8bc81bb2c8c5c2c75d12853ab
tree	5f48a2de7e5489ddd2a72ef9fe32fe724d7928ae	tree
parent	2b2314e9f6103de322b2e247387c8b01fd0cd5a4	commit \| diff

cmd/go: restore netrc preferences for GOAUTH and fix domain lookup

Store netrc lines into the credential map backward so that earlier lines
take priority over later lines. This matches Go 1.23 netrc lookup which
stopped at the first match it found.
Additionally, this fixes a security issue related to domain parsing
which could have allowed servers to read credentials belonging to other
servers. The fix was to switch from using path.Dir(currentPrefix) to
strings.Cut(currentPrefix, "/")

Thanks to Juho Forsén of Mattermost for reporting this issue.

Fixes #71249
Fixes CVE-2024-45340

Change-Id: I175a00d6d7f4d31c9e4d79b7cf1c2a0ad35b2781
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1781
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Commit-Queue: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/643097
Reviewed-by: Michael Pratt <mpratt@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Michael Knyszek <mknyszek@google.com>

src/cmd/go/internal/auth/auth.go		diff \| blob \| history
src/cmd/go/internal/auth/auth_test.go		diff \| blob \| history
src/cmd/go/testdata/script/goauth_netrc.txt		diff \| blob \| history