From 75d8be5fb4cbc1a539a99557cef93dcdef997bf5 Mon Sep 17 00:00:00 2001
From: "Bryan C. Mills" <bcmills@google.com>
Date: Wed, 9 Aug 2023 17:14:30 -0400
Subject: [PATCH] [release-branch.go1.21] cmd/go/internal/web: release the net
 token when an HTTP request fails due to CheckRedirect

Updates #61877.
Fixes #61905.

Change-Id: I38c63565aaf9dc9b0c8085974521daccfbcbc790
Reviewed-on: https://go-review.googlesource.com/c/go/+/518015
Reviewed-by: Michael Matloob <matloob@golang.org>
Run-TryBot: Bryan Mills <bcmills@google.com>
Auto-Submit: Bryan Mills <bcmills@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
(cherry picked from commit 8cb5c55118a8273e1cc605b8ba167297808c4eda)
Reviewed-on: https://go-review.googlesource.com/c/go/+/518395
---
 src/cmd/go/internal/web/http.go               | 20 ++++++++++++-------
 .../script/mod_get_insecure_redirect.txt      | 19 ++++++++++++++++++
 2 files changed, 32 insertions(+), 7 deletions(-)
 create mode 100644 src/cmd/go/testdata/script/mod_get_insecure_redirect.txt

diff --git a/src/cmd/go/internal/web/http.go b/src/cmd/go/internal/web/http.go
index 76b767c751..4fc939a30d 100644
--- a/src/cmd/go/internal/web/http.go
+++ b/src/cmd/go/internal/web/http.go
@@ -212,16 +212,22 @@ func get(security SecurityMode, url *urlpkg.URL) (*Response, error) {
 			}
 		}
 
-		if res == nil || res.Body == nil {
+		if err != nil {
+			// Per the docs for [net/http.Client.Do], âOn error, any Response can be
+			// ignored. A non-nil Response with a non-nil error only occurs when
+			// CheckRedirect fails, and even then the returned Response.Body is
+			// already closed.â
 			release()
-		} else {
-			body := res.Body
-			res.Body = hookCloser{
-				ReadCloser: body,
-				afterClose: release,
-			}
+			return nil, nil, err
 		}
 
+		// âIf the returned error is nil, the Response will contain a non-nil Body
+		// which the user is expected to close.â
+		body := res.Body
+		res.Body = hookCloser{
+			ReadCloser: body,
+			afterClose: release,
+		}
 		return url, res, err
 	}
 
diff --git a/src/cmd/go/testdata/script/mod_get_insecure_redirect.txt b/src/cmd/go/testdata/script/mod_get_insecure_redirect.txt
new file mode 100644
index 0000000000..a503c914e3
--- /dev/null
+++ b/src/cmd/go/testdata/script/mod_get_insecure_redirect.txt
@@ -0,0 +1,19 @@
+# golang.org/issue/29591: 'go get' was following plain-HTTP redirects even without -insecure (now replaced by GOINSECURE).
+# golang.org/issue/61877: 'go get' would panic in case of an insecure redirect in module mode
+
+[!git] skip
+
+env GOPRIVATE=vcs-test.golang.org
+
+! go get -d vcs-test.golang.org/insecure/go/insecure
+stderr 'redirected .* to insecure URL'
+
+[short] stop 'builds a git repo'
+
+env GOINSECURE=vcs-test.golang.org/insecure/go/insecure
+go get -d vcs-test.golang.org/insecure/go/insecure
+
+-- go.mod --
+module example
+go 1.21
+
-- 
2.50.0