go: cmd/go: downloads follow plain-HTTP redirects even when the -insecure flag is not set
What version of Go are you using (go version)?
$ go version go version devel +35f4ec152b Sat Jan 5 00:45:14 2019 +0000 linux/amd64
or ArchLinux’s community/go 2:1.11.4-1
Does this issue reproduce with the latest release?
yes
What operating system and processor architecture are you using (go env)?
go env Output
$ go env GOARCH="amd64" GOBIN="" GOCACHE="/home/xftroxgpx/.cache/go-build" GOEXE="" GOFLAGS="" GOHOSTARCH="amd64" GOHOSTOS="linux" GOOS="linux" GOPATH="/home/xftroxgpx/build/2nonpkgs/go.stuff/gopath" GOPROXY="" GORACE="" GOROOT="/usr/lib/go" GOTMPDIR="" GOTOOLDIR="/usr/lib/go/pkg/tool/linux_amd64" GCCGO="gccgo" CC="gcc" CXX="g++" CGO_ENABLED="1" GOMOD="" CGO_CFLAGS="-g -O2" CGO_CPPFLAGS="" CGO_CXXFLAGS="-g -O2" CGO_FFLAGS="-g -O2" CGO_LDFLAGS="-g -O2" PKG_CONFIG="pkg-config" GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build832694890=/tmp/go-build -gno-record-gcc-switches"
What did you do?
EDIT: First, make sure outgoing tcp connections to port 80 are blocked / notallowed, in firewall! Otherwise you won’t get the connection refused error, and thus won’t realize the download was done over http.
$ cd $GOPATH
#note: NOT $GOPATH/src !!!
$ git clone https://github.com/perkeep/perkeep.git perkeep.org
...
$ cd perkeep.org
$ time go run make.go
...
(error here)
$ time go run make.go
...
(same error here)
$ go clean
...
(same error here)
What did you expect to see?
no http fetches, ie. all fetches should’ve been done via https (because all sites support https)
What did you see instead?
go: bazil.org/fuse@v0.0.0-20160811212531-371fbbdaa898: unrecognized import path "bazil.org/fuse" (https fetch: Get http://bazil.org/fuse/?go-get=1: dial tcp 104.28.6.28:80: connect: connection refused)
go: error loading module requirements
That bazil.org is the first entry in $GOPATH/perkeep.org/go.mod (in go.sum too but it doesn’t matter here), so if I change it to something else, it’s reflected in the error message.
Everything works and no error is emited when I move the cloned dir perkeep.org from $GOPATH into $GOPATH/src
Related: https://github.com/golang/go/issues/29590#issuecomment-451747667 https://github.com/perkeep/perkeep/issues/1242#issuecomment-451747326
About this issue
- Original URL
- State: closed
- Created 5 years ago
- Comments: 27 (14 by maintainers)
Commits related to this issue
- vcs-test: add a /insecure handler that redirects to plain HTTP Updates golang/go#29591 Change-Id: I5c9899a475ba7521b49c3eef2679c104df0ae0f7 Reviewed-on: https://go-review.googlesource.com/c/build/+/... — committed to golang/build by bcmills 5 years ago
- cmd/go/internal/modfetch: replace nanomsg.org with vcs-test in TestCodeRepo nanomsg.org currently performs an HTTPS-to-HTTP redirect, so this case fails after the fix for #29591. Updates #29591 Cha... — committed to golang/go by bcmills 5 years ago
- [release-branch.go1.13] cmd/go/internal/get: avoid panic in metaImportsForPrefix if web.Get fails Updates #29591 Updates #34049 Fixes #34081 Change-Id: I817b83ee2d0ca6d01ec64998f14bc4f32e365d66 Revi... — committed to golang/go by bcmills 5 years ago
The remaining question is, if the HTTPS handler explicitly indicates an insecure endpoint, should we follow it when the
-insecureflag is not set?I suspect that we should not, which probably means that the Go command should use a CheckRedirect handler to prohibit such redirects.
CC @FiloSottile, @bradfitz, @rsc