Skip to content

[pull] master from golang:master#2684

Merged
pull[bot] merged 1 commit intoareller:masterfrom
golang:master
Jul 8, 2025
Merged

[pull] master from golang:master#2684
pull[bot] merged 1 commit intoareller:masterfrom
golang:master

Conversation

@pull
Copy link
Copy Markdown

@pull pull bot commented Jul 8, 2025
edited
Loading

See Commits and Changes for more details.

Created by pull[bot] (v2.0.0-alpha.2)

Can you help keep this open source service alive? 💖 Please sponsor : )

@rolandshoemaker @cagedmantis
cmd/go: disable support for multiple vcs in one module
54c9d77 
Removes the somewhat redundant vcs.FromDir, "allowNesting" argument,
which was always enabled, and disallow multiple VCS metadata folders
being present in a single directory. This makes VCS injection attacks
much more difficult.

Also adds a GODEBUG, allowmultiplevcs, which re-enables this behavior.

Thanks to RyotaK (https://ryotak.net) of GMO Flatt Security Inc for reporting this issue.

Fixes #74380
Fixes CVE-2025-4674

Change-Id: I5787d90cdca8deb3aca6f154efb627df1e7d2789
Reviewed-on: https://go-review.googlesource.com/c/go/+/686515
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: David Chase <drchase@google.com>
Commit-Queue: Carlos Amedee <carlos@golang.org>
Reviewed-by: Carlos Amedee <carlos@golang.org>
@pull pull bot locked and limited conversation to collaborators Jul 8, 2025
@pull pull bot added the ⤵️ pull label Jul 8, 2025
@pull pull bot merged commit 54c9d77 into areller:master Jul 8, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

⤵️ pull

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@rolandshoemaker