-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
internal/code: reject all non-v0.0.0 pseudo-versions
The intention of the current ModuleHandler is to serve only v0.0.0 pseudo-versions. This requires checking the version component of the incoming module request, and verifying that it is exactly v0.0.0 and not another value. This wasn't done previously, which means an explicit request to a non-v0.0.0 pseudo-version would be served by ModuleHandler as if such a version existed. This would be problematic if someone started to depend on such an unintentional version, or if the Go module mirror indexed it and made a permanent record of it existing. Non-v0.0.0 pseudo-versions were never advertised by the list endpoint or elsewhere, so the chance of it happening was low. Fortunately, no such explicit requests were made, and unintentional versions were not indexed by the Go module mirror. This serves as an example of the risk one undertakes when implementing a custom module proxy implementation. It's very important to serve the precise versions that one intends to serve, and no other versions. Simplify code to satisfy the current narrow needs. When the scope of ModuleHandler expands to support non-v0.0.0 pseudo-versions, then we can go back to using more general pseudo-version parsing code. Updates golang/go#24031
- Loading branch information
Showing
3 changed files
with
106 additions
and
45 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters