Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cmd/go: work around insecure redirects for domains hosted on GitHub Pages #32071

Closed
rogpeppe opened this issue May 15, 2019 · 12 comments
Closed

cmd/go: work around insecure redirects for domains hosted on GitHub Pages #32071

rogpeppe opened this issue May 15, 2019 · 12 comments
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done. release-blocker
Milestone
Go1.13

Comments

@rogpeppe
Copy link
Contributor

What version of Go are you using (go version)?

$ go version
go version devel +2e4edf4697 Sun May 12 07:14:09 2019 +0000 linux/amd64

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GOARCH="amd64"
GOBIN=""
GOCACHE="/home/rog/.cache/go-build"
GOENV="/home/rog/.config/go/env"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/home/rog/src/go"
GOPROXY="direct"
GOROOT="/home/rog/go"
GOSUMDB="off"
GOTMPDIR=""
GOTOOLDIR="/home/rog/go/pkg/tool/linux_amd64"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/home/rog/src/work/quicktest/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build245885201=/tmp/go-build -gno-record-gcc-switches"

What did you do?

 cd $(mktemp -d)
 go mod init m
 go get googlemaps.github.io/maps

What did you expect to see?

I'd expect the command to succeed. It works on Go 1.12.

What did you see instead?

$ go get googlemaps.github.io/maps
go get googlemaps.github.io/maps: unrecognized import path "googlemaps.github.io/maps" (https fetch: Get http://googlemaps.github.io/maps/?go-get=1: redirected from secure URL https://googlemaps.github.io/maps?go-get=1 to insecure URL http://googlemaps.github.io/maps/?go-get=1)
@FiloSottile
Copy link
Contributor

This is working as intended following #29618. https://googlemaps.github.io/maps?go-get=1 is serving a redirect to an HTTP link, which is insecure, so requires the -insecure flag.

/cc @bcmills who is tracking impact of that change.

@FiloSottile
Copy link
Contributor

FiloSottile commented May 16, 2019
edited

(It would be nice to ask GitHub support why on Earth they are doing that, btw. It's bad for any client, not just the go command.)

@rogpeppe rogpeppe mentioned this issue May 16, 2019
Closed
@domesticmouse
Copy link

I'm curious what I'm doing wrong here. (I'm the Googler responsible for the Go googlemaps project.)

I set up redirects in https://github.com/googlemaps/googlemaps.github.io/blob/master/maps/index.html to point to https URLs.

Hints on how I can fix this gladly accepted.

@bcmills
Copy link
Contributor

bcmills commented May 16, 2019

There is an interesting clue in isaacs/github#289 (comment):

GitHub Support wrote:

This redirection quirk that you've discovered is a known issue, and relates to trailing slashes and how our redirects work at the moment. Making a request to a URL without a trailing slash will cause redirections to run in this order:

request to original URL
301 to HTTPS version of original URL
301 to HTTP version with added trailing slash
301 to HTTPS version with added trailing slash
Always including the trailing slash will allow you to skip the extra redirects:

request to URL with trailing slash
301 to HTTPS version of original URL
We have an issue open internally to hopefully improve this situation, but investigations have demonstrates that it is a non-trivial issue to resolve.

@bcmills
Copy link
Contributor

bcmills commented May 16, 2019

Reopening to consider workarounds, but I'd really rather GitHub fix their redirects instead.

@bcmills bcmills reopened this May 16, 2019
@bcmills bcmills added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label May 16, 2019
@bcmills bcmills added this to the Go1.13 milestone May 16, 2019
@bcmills bcmills self-assigned this May 16, 2019
@bcmills bcmills changed the title cmd/go: get googlemaps.github.io/maps fails on tip cmd/go: work around insecure redirects for domains hosted on GitHub Pages? May 16, 2019
@rsc
Copy link
Contributor

rsc commented May 16, 2019

If -insecure is not being used and we see https://foo redirect to http://foo/ (that is, the only deltas are s|https|http|; s|$|/|) can we quietly put the https back instead of failing?

@bcmills
Copy link
Contributor

bcmills commented May 16, 2019

Yep, that seems like a plausible workaround — it's small, doesn't hard-code information specific to GitHub, and doesn't require that we change the initial URL.

@bcmills bcmills added the NeedsFix The path to resolution is known, but the work has not been done. label May 16, 2019
@bcmills bcmills changed the title cmd/go: work around insecure redirects for domains hosted on GitHub Pages? cmd/go: work around insecure redirects for domains hosted on GitHub Pages May 16, 2019
@gopherbot gopherbot removed the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label May 16, 2019
@btoews
Copy link

btoews commented May 16, 2019

We deployed a fix for this. Let us know if it has resolved the issue you were seeing.

@FiloSottile
Copy link
Contributor

This is indeed fixed, thank you @mastahyeti!

@ptoomey3
Copy link

Apologies all..we are having to revert the change for now. We are looking into an issue it caused.

@FiloSottile FiloSottile reopened this May 16, 2019
@rogpeppe rogpeppe mentioned this issue May 17, 2019
Closed
@ptoomey3
Copy link

Can you all check this again? A second attempt (without the bug 🤞) was deployed late last week.

@bcmills
Copy link
Contributor

bcmills commented May 28, 2019

@ptoomey3, it seems to be working again. Thanks!

example.com$ gotip get googlemaps.github.io/maps
go: finding googlemaps.github.io/maps latest
go: downloading googlemaps.github.io/maps v0.0.0-20190514133808-4d12cf0fa845
go: extracting googlemaps.github.io/maps v0.0.0-20190514133808-4d12cf0fa845
go: finding github.com/google/uuid v1.1.1
go: finding golang.org/x/time latest
go: downloading github.com/google/uuid v1.1.1
go: downloading golang.org/x/time v0.0.0-20190308202827-9d24e82272b4
go: extracting github.com/google/uuid v1.1.1
go: extracting golang.org/x/time v0.0.0-20190308202827-9d24e82272b4

example.com$

@bcmills bcmills closed this as completed May 28, 2019
@aofei aofei mentioned this issue Jul 30, 2019
Closed
This was referenced Sep 8, 2019
Closed
Closed
@golang golang locked and limited conversation to collaborators May 27, 2020
@rsc rsc unassigned bcmills Jun 23, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done. release-blocker
Projects
None yet
Milestone
Go1.13
Development

No branches or pull requests
8 participants
@domesticmouse @rogpeppe @ptoomey3 @rsc @btoews @FiloSottile @bcmills @gopherbot