Go: cmd/go: directory traversal in "go get" via curly braces in import paths [Go 1.10]

Created on 13 Dec 2018  路  2Comments  路  Source: golang/go

This is a tracking issue for #29231, a security vulnerability fixed in Go 1.10.6.

CherryPickApproved FrozenDueToAge Security
Source
picture FiloSottile

Most helpful comment

Thanks for reporting this, I opened #29241 and we'll work to fix this as soon as possible.

picture FiloSottile on 13 Dec 2018
👍2

All 2 comments

This breaks go getting with ...: https://travis-ci.com/geek1011/kobopatch-patches/builds/94712529#L523.

This is because you just do a simple check for if a path contains .., without accounting for the ....

pgaskin picture pgaskin on 13 Dec 2018
1 👍1

Thanks for reporting this, I opened #29241 and we'll work to fix this as soon as possible.

FiloSottile picture FiloSottile on 13 Dec 2018
👍2
Was this page helpful?
0 / 5 - 0 ratings

Related issues

ajstarks picture ajstarks  路  3Comments
michaelsafyan picture michaelsafyan  路  3Comments
gopherbot picture gopherbot  路  3Comments
natefinch picture natefinch  路  3Comments
ashb picture ashb  路  3Comments