New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cmd/go/internal/get: isSecure does not parse Git repository URIs correctly #23855

Open
depp opened this Issue Feb 15, 2018 · 3 comments

Comments

Projects
None yet
3 participants
@depp

depp commented Feb 15, 2018

go version go1.9.4 darwin/amd64

When Git parses a URL, it checks to see that the : is followed by a //, otherwise it considers the URL to be have [user@]host:path syntax. This is documented in the Git URLs documentation page. However, go get cannot understand the scp-like syntax, this behavior is incorrect.

  • See is_url in url.c:19 which shows the correct behavior, called from transport_get at transport.c:828
  • See isSecure in vcs.go:56 which shows the incorrect behavior

Here's how to reproduce:

cd $GOPATH/src
mkdir gogetbug
cd gogetbug
git init
git remote add origin git:gogetbug.git
echo $'package main\nfunc main() {}' > main.go
go get -u

The resulting error message is:

package gogetbug: cannot download, git:gogetbug.git uses insecure protocol

This is incorrect, the actual protocol here is SSH and go get is parsing it incorrectly. The workaround is to not have a Git server named git, but isn't that the most sensible name for your Git server?

@fraenkel

This comment has been minimized.

Contributor

fraenkel commented Jun 23, 2018

While it uses SSH, it does not provide any encryption (https://git-scm.com/book/en/v2/Git-on-the-Server-The-Protocols). So does it still qualify as being secure?

@depp

This comment has been minimized.

depp commented Jun 23, 2018

@fraenkel I am unsure what you mean by "it does not provide any encryption" . SSH provides both authentication and encryption. The only problem here is that the URL is parsed incorrectly... it is parsed as a Git protocol URL, which is incorrect, because it is actually an SSH URL.

@fraenkel

This comment has been minimized.

Contributor

fraenkel commented Jun 23, 2018

I see what you mean. You are talking about when there is no scheme. Sorry for the confusion.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment