1
0
mirror of https://github.com/golang/go synced 2024-11-26 14:26:51 -07:00
The Go programming language
Go to file
Russ Cox 1900d34a10 [release-branch.go1.9] net/smtp: fix PlainAuth to refuse to send passwords to non-TLS servers
PlainAuth originally refused to send passwords to non-TLS servers
and was documented as such.

In 2013, issue #5184 was filed objecting to the TLS requirement,
despite the fact that it is spelled out clearly in RFC 4954.
The only possibly legitimate use case raised was using PLAIN auth
for connections to localhost, and the suggested fix was to let the
server decide: if it advertises that PLAIN auth is OK, believe it.
That approach was adopted in CL 8279043 and released in Go 1.1.

Unfortunately, this is exactly wrong. The whole point of the TLS
requirement is to make sure not to send the password to the wrong
server or to a man-in-the-middle. Instead of implementing this rule,
CL 8279043 blindly trusts the server, so that if a man-in-the-middle
says "it's OK, you can send me your password," PlainAuth does.
And the documentation was not updated to reflect any of this.

This CL restores the original TLS check, as required by RFC 4954
and as promised in the documentation for PlainAuth.
It then carves out a documented exception for connections made
to localhost (defined as "localhost", "127.0.0.1", or "::1").

Cherry-pick of CL 68170.

Change-Id: I1d3729bbd33aa2f11a03f4c000e6bb473164957b
Reviewed-on: https://go-review.googlesource.com/68210
Run-TryBot: Russ Cox <rsc@golang.org>
Reviewed-by: Chris Broadfoot <cbro@golang.org>
2017-10-04 18:19:11 +00:00
.github .github: add .md extension to SUPPORT file 2017-07-30 21:46:28 +00:00
api doc, api: add syscall.SysProcAttr.AmbientCaps change to 1.9 notes, API 2017-06-29 03:29:46 +00:00
doc [release-branch.go1.9] doc: add go1.9 to golang.org/project 2017-08-24 19:57:08 +00:00
lib/time time: vendor tzdata-2017b and update test 2017-06-07 21:23:58 +00:00
misc runtime: mark activeModules nosplit/nowritebarrier 2017-08-05 18:05:41 +00:00
src [release-branch.go1.9] net/smtp: fix PlainAuth to refuse to send passwords to non-TLS servers 2017-10-04 18:19:11 +00:00
test test: add README 2017-07-26 23:37:25 +00:00
.gitattributes
.gitignore .gitignore: change path to zbootstrap.go 2017-04-19 02:13:58 +00:00
AUTHORS A+C: final updates for Go 1.9 2017-07-18 01:47:54 +00:00
CONTRIBUTING.md .github: recommend 'go bug' when filing an issue 2017-07-24 17:18:34 +00:00
CONTRIBUTORS A+C: final updates for Go 1.9 2017-07-18 01:47:54 +00:00
favicon.ico website: recreate 16px and 32px favicon 2016-08-25 15:43:32 +00:00
LICENSE doc: revert copyright date to 2009 2016-06-01 22:40:04 +00:00
PATENTS
README.md readme: add attribution for the Gopher image 2017-02-03 19:39:41 +00:00
robots.txt
VERSION [release-branch.go1.9] go1.9 2017-08-24 20:52:14 +00:00

The Go Programming Language

Go is an open source programming language that makes it easy to build simple, reliable, and efficient software.

Gopher image Gopher image by Renee French, licensed under Creative Commons 3.0 Attributions license.

Our canonical Git repository is located at https://go.googlesource.com/go. There is a mirror of the repository at https://github.com/golang/go.

Unless otherwise noted, the Go source files are distributed under the BSD-style license found in the LICENSE file.

Download and Install

Binary Distributions

Official binary distributions are available at https://golang.org/dl/.

After downloading a binary release, visit https://golang.org/doc/install or load doc/install.html in your web browser for installation instructions.

Install From Source

If a binary distribution is not available for your combination of operating system and architecture, visit https://golang.org/doc/install/source or load doc/install-source.html in your web browser for source installation instructions.

Contributing

Go is the work of hundreds of contributors. We appreciate your help!

To contribute, please read the contribution guidelines: https://golang.org/doc/contribute.html

Note that the Go project does not use GitHub pull requests, and that we use the issue tracker for bug reports and proposals only. See https://golang.org/wiki/Questions for a list of places to ask questions about the Go language.