diff options
| author | Bryan C. Mills <bcmills@google.com> | 2023-08-09 17:14:30 -0400 |
|---|---|---|
| committer | Michael Knyszek <mknyszek@google.com> | 2023-08-11 14:53:49 +0000 |
| commit | 75d8be5fb4cbc1a539a99557cef93dcdef997bf5 (patch) | |
| tree | f0d6fe5acece90e66bcf9fcbc2762455eb44e479 | |
| parent | 1755d1455977cb9dc6cdfa032dfd1c370e2a4097 (diff) | |
| download | go-75d8be5fb4cbc1a539a99557cef93dcdef997bf5.tar.gz go-75d8be5fb4cbc1a539a99557cef93dcdef997bf5.zip | |
[release-branch.go1.21] cmd/go/internal/web: release the net token when an HTTP request fails due to CheckRedirect
Updates #61877.
Fixes #61905.
Change-Id: I38c63565aaf9dc9b0c8085974521daccfbcbc790
Reviewed-on: https://go-review.googlesource.com/c/go/+/518015
Reviewed-by: Michael Matloob <matloob@golang.org>
Run-TryBot: Bryan Mills <bcmills@google.com>
Auto-Submit: Bryan Mills <bcmills@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
(cherry picked from commit 8cb5c55118a8273e1cc605b8ba167297808c4eda)
Reviewed-on: https://go-review.googlesource.com/c/go/+/518395
| -rw-r--r-- | src/cmd/go/internal/web/http.go | 20 | ||||
| -rw-r--r-- | src/cmd/go/testdata/script/mod_get_insecure_redirect.txt | 19 |
2 files changed, 32 insertions, 7 deletions
diff --git a/src/cmd/go/internal/web/http.go b/src/cmd/go/internal/web/http.go index 76b767c751..4fc939a30d 100644 --- a/src/cmd/go/internal/web/http.go +++ b/src/cmd/go/internal/web/http.go @@ -212,16 +212,22 @@ func get(security SecurityMode, url *urlpkg.URL) (*Response, error) { } } - if res == nil || res.Body == nil { + if err != nil { + // Per the docs for [net/http.Client.Do], “On error, any Response can be + // ignored. A non-nil Response with a non-nil error only occurs when + // CheckRedirect fails, and even then the returned Response.Body is + // already closed.” release() - } else { - body := res.Body - res.Body = hookCloser{ - ReadCloser: body, - afterClose: release, - } + return nil, nil, err } + // “If the returned error is nil, the Response will contain a non-nil Body + // which the user is expected to close.” + body := res.Body + res.Body = hookCloser{ + ReadCloser: body, + afterClose: release, + } return url, res, err } diff --git a/src/cmd/go/testdata/script/mod_get_insecure_redirect.txt b/src/cmd/go/testdata/script/mod_get_insecure_redirect.txt new file mode 100644 index 0000000000..a503c914e3 --- /dev/null +++ b/src/cmd/go/testdata/script/mod_get_insecure_redirect.txt @@ -0,0 +1,19 @@ +# golang.org/issue/29591: 'go get' was following plain-HTTP redirects even without -insecure (now replaced by GOINSECURE). +# golang.org/issue/61877: 'go get' would panic in case of an insecure redirect in module mode + +[!git] skip + +env GOPRIVATE=vcs-test.golang.org + +! go get -d vcs-test.golang.org/insecure/go/insecure +stderr 'redirected .* to insecure URL' + +[short] stop 'builds a git repo' + +env GOINSECURE=vcs-test.golang.org/insecure/go/insecure +go get -d vcs-test.golang.org/insecure/go/insecure + +-- go.mod -- +module example +go 1.21 + |