Package: golang-go Version: 2:1.15~1 Severity: normal X-Debbugs-Cc: debbug.gol...@sideload.33mail.com
The go standard libraries apparently include some automatic proxy support for /go/ apps when the HTTPS_PROXY variable is populated. The problem is that SOCKS proxies are accepted. A SOCKS proxy is a different beast than an HTTP proxy. The HTTP*_PROXY variables are conventially used by browsers to specify HTTP proxies. It’s misleading and wrong to use it to specify SOCKS proxies. Here is an example of an app that uses the /go/ standard libs in this way: https://github.com/emersion/hydroxide/issues/110#issuecomment-751387567 URLs with the socks*:// scheme should be refused & trigger an error. -- System Information: Debian Release: 11.5 APT prefers stable-updates APT policy: (990, 'stable-updates'), (990, 'stable-security'), (990, 'testing'), (990, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.10.0-19-amd64 (SMP w/2 CPU threads) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages golang-go depends on: ii golang-1.15-go 1.15.15-1~deb11u4 ii golang-src 2:1.15~1 golang-go recommends no packages. Versions of packages golang-go suggests: ii git 1:2.30.2-1 -- no debconf information