abeaca7a73
Conflict:src/cmd/go/internal/modfetch/coderepo.go;src/cmd/go/internal/modfetch/coderepo_test.go Score:CVE-2022-23773:7.5 Reference:https://go-review.googlesource.com/c/go/+/378400/ Reason:fix CVE-2022-23773
78 lines
3.1 KiB
Diff
78 lines
3.1 KiB
Diff
From d57e23e7bd6a8f80ace3f1d668a387cf1bc989f7 Mon Sep 17 00:00:00 2001
|
|
From: hanchao <hanchao47@huawei.com>
|
|
Date: Wed, 23 Mar 2022 20:51:31 +0800
|
|
Subject: [PATCH 2/2] fix patch
|
|
cmd-go-internal-modfetch-do-not-short-circuit-canoni.patch
|
|
|
|
reason:the above patch is to fix CVE-2022-23773, but it does not work with golang1.15,
|
|
so this patch is used to fix the above issue.
|
|
|
|
Conflict:NA
|
|
Reference:https://go-review.googlesource.com/c/go/+/378400/
|
|
|
|
Signed-off-by: hanchao <hanchao47@huawei.com>
|
|
---
|
|
src/cmd/go/internal/modfetch/coderepo.go | 24 +++++-------------------
|
|
1 file changed, 5 insertions(+), 19 deletions(-)
|
|
|
|
diff --git a/src/cmd/go/internal/modfetch/coderepo.go b/src/cmd/go/internal/modfetch/coderepo.go
|
|
index c654b36..def62d7 100644
|
|
--- a/src/cmd/go/internal/modfetch/coderepo.go
|
|
+++ b/src/cmd/go/internal/modfetch/coderepo.go
|
|
@@ -456,11 +456,6 @@ func (r *codeRepo) convert(info *codehost.RevInfo, statVers string) (*RevInfo, e
|
|
tagPrefix = r.codeDir + "/"
|
|
}
|
|
|
|
- isRetracted, err := r.retractedVersions()
|
|
- if err != nil {
|
|
- isRetracted = func(string) bool { return false }
|
|
- }
|
|
-
|
|
// tagToVersion returns the version obtained by trimming tagPrefix from tag.
|
|
// If the tag is invalid, retracted, or a pseudo-version, tagToVersion returns
|
|
// an empty version.
|
|
@@ -523,7 +518,7 @@ func (r *codeRepo) convert(info *codehost.RevInfo, statVers string) (*RevInfo, e
|
|
}
|
|
// Save the highest non-retracted canonical tag for the revision.
|
|
// If we don't find a better match, we'll use it as the canonical version.
|
|
- if tagIsCanonical && semver.Compare(highestCanonical, v) < 0 && !isRetracted(v) {
|
|
+ if tagIsCanonical && semver.Compare(highestCanonical, v) < 0 {
|
|
if module.MatchPathMajor(v, r.pathMajor) || canUseIncompatible(v) {
|
|
highestCanonical = v
|
|
}
|
|
@@ -536,27 +531,18 @@ func (r *codeRepo) convert(info *codehost.RevInfo, statVers string) (*RevInfo, e
|
|
return checkCanonical(highestCanonical)
|
|
}
|
|
|
|
- // Find the highest tagged version in the revision's history, subject to
|
|
- // major version and +incompatible constraints. Use that version as the
|
|
- // pseudo-version base so that the pseudo-version sorts higher. Ignore
|
|
- // retracted versions.
|
|
- allowedMajor := func(major string) func(v string) bool {
|
|
- return func(v string) bool {
|
|
- return ((major == "" && canUseIncompatible(v)) || semver.Major(v) == major) && !isRetracted(v)
|
|
- }
|
|
- }
|
|
if pseudoBase == "" {
|
|
var tag string
|
|
if r.pseudoMajor != "" || canUseIncompatible("") {
|
|
- tag, _ = r.code.RecentTag(info.Name, tagPrefix, allowedMajor(r.pseudoMajor))
|
|
+ tag, _ = r.code.RecentTag(info.Name, tagPrefix, r.pseudoMajor)
|
|
} else {
|
|
// Allow either v1 or v0, but not incompatible higher versions.
|
|
- tag, _ = r.code.RecentTag(info.Name, tagPrefix, allowedMajor("v1"))
|
|
+ tag, _ = r.code.RecentTag(info.Name, tagPrefix, "v1")
|
|
if tag == "" {
|
|
- tag, _ = r.code.RecentTag(info.Name, tagPrefix, allowedMajor("v0"))
|
|
+ tag, _ = r.code.RecentTag(info.Name, tagPrefix, "v0")
|
|
}
|
|
}
|
|
- pseudoBase, _ = tagToVersion(tag)
|
|
+ pseudoBase, _ = tagToVersion(tag) // empty if the tag is invalid
|
|
}
|
|
|
|
return checkCanonical(PseudoVersion(r.pseudoMajor, pseudoBase, info.Time, info.Short))
|
|
--
|
|
2.30.0
|
|
|