go, branch go1.10.6 Fork of Go programming language with my patches. http://git.kilabit.info/go/atom?h=go1.10.6 2018-12-13T17:16:47Z [release-branch.go1.10-security] go1.10.6 2018-12-13T17:16:47Z Dmitri Shuralyov dmitshur@golang.org 2018-12-13T17:07:16Z urn:sha1:25ca8f49c3fc4a68daff7a23ab613e3453be5cda Change-Id: I1a05884b2df711da15d2ca3f09fcb6fc4a3264c7 Reviewed-on: https://team-review.git.corp.google.com/c/377324 Reviewed-by: Andrew Bonventre <andybons@google.com> [release-branch.go1.10-security] doc: document Go 1.10.6 2018-12-12T19:08:14Z Dmitri Shuralyov dmitshur@golang.org 2018-12-12T18:35:19Z urn:sha1:f1a7c2aae8df88403b296e87fcf59c90271f9308 Change-Id: I3fe44887a84586d73be01df78a9cbb002c1fc9c5 Reviewed-on: https://team-review.git.corp.google.com/c/376467 Reviewed-by: Filippo Valsorda <valsorda@google.com> [release-branch.go1.10-security] cmd/go/internal/get: relax pathOK check to allow any letter 2018-12-07T14:48:24Z Bryan C. Mills bcmills@google.com 2018-12-04T22:00:19Z urn:sha1:9a8006764336b71cd28ff313db1558865e6afc47 This fixes a regression of #18660 with the new path checks. Change-Id: I07cd248392ba8f5f9b1614b79a323cca1ad1d46d Reviewed-on: https://team-review.git.corp.google.com/c/372708 Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> [release-branch.go1.10-security] cmd/go/internal/get: use a strings.Replacer in expand 2018-12-07T14:48:05Z Bryan C. Mills bcmills@google.com 2018-12-04T20:42:32Z urn:sha1:aaa5f477540e6ef89de0da858a1334d05344d7fc This should be a no-op, but produces deterministic (and more correct) behavior if we have accidentally failed to sanitize one of the inputs. Change-Id: I1271d0ffd01a691ec8c84906c4e02d9e2be19c72 Reviewed-on: https://team-review.git.corp.google.com/c/372707 Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> [release-branch.go1.10-security] cmd/go/internal/get: reject Windows shortnames as path components 2018-12-07T14:47:58Z Bryan C. Mills bcmills@google.com 2018-12-04T19:37:39Z urn:sha1:7ef6ee2c5727f0d11206b4d1866c18e6ab4785be Change-Id: Ia32d8ec1fc0c4e242f50d8871c0ef3ce315f3c65 Reviewed-on: https://team-review.git.corp.google.com/c/370573 Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> [release-branch.go1.10-security] cmd/go: reject 'get' of paths containing leading dots or unsupported characters 2018-12-07T14:47:30Z Bryan C. Mills bcmills@google.com 2018-12-03T20:12:08Z urn:sha1:90d609ba6156299642d08afc06d85ab770a03972 On some platforms, directories beginning with dot are treated as hidden files, and filenames containing unusual characters can be confusing for users to manipulate (and delete). Change-Id: I443bdeb98e4de24b8a93a75fb923f4d41052e8f7 Reviewed-on: https://team-review.git.corp.google.com/c/368703 Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> [release-branch.go1.10-security] crypto/x509: limit number of signature checks for each verification 2018-12-07T00:38:02Z Filippo Valsorda filippo@golang.org 2018-12-05T03:23:22Z urn:sha1:0a4a37f1f0a36e55d8ae5c34210a79499f9f2a9d That number grows quadratically with the number of intermediate certificates in certain pathological cases (for example if they all have the same Subject) leading to a CPU DoS. Set a fixed budget that should fit all real world chains, given we only look at intermediates provided by the peer. The algorithm can be improved, but that's left for follow-up CLs: * the cache logic should be reviewed for correctness, as it seems to override the entire chain with the cached one * the equality check should compare Subject and public key, not the whole certificate * certificates with the right SKID but the wrong Subject should not be considered, and in particular should not take priority over certificates with the right Subject Change-Id: Ib257c12cd5563df7723f9c81231d82b882854213 Reviewed-on: https://team-review.git.corp.google.com/c/370475 Reviewed-by: Andrew Bonventre <andybons@google.com> (cherry picked from commit 09d57361bc99cbbfb9755ee30ddcb42ff5a9d7d6) Reviewed-on: https://team-review.git.corp.google.com/c/372923 Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> [release-branch.go1.10] go1.10.5 2018-11-02T20:17:59Z Andrew Bonventre andybons@golang.org 2018-11-02T19:55:05Z urn:sha1:1ae739797ec72acbd6d90b94a2366a31566205c2 Change-Id: Ibad4471510ea8546954c4361424daadb845b2f3f Reviewed-on: https://go-review.googlesource.com/c/147183 Run-TryBot: Andrew Bonventre <andybons@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> [release-branch.go1.10] doc: document Go 1.10.5 2018-11-02T19:53:46Z Andrew Bonventre andybons@golang.org 2018-11-02T19:31:37Z urn:sha1:aaccedc7815e61ad5bcdc5d094301c0e9484652e Change-Id: I11adca150ab795607b832fb354a3e065655e1020 Reviewed-on: https://go-review.googlesource.com/c/147179 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> (cherry picked from commit 2764d5ee7b23ae1caf2a4cd4506116a1b9efbf66) Reviewed-on: https://go-review.googlesource.com/c/147180 Reviewed-by: Andrew Bonventre <andybons@golang.org> [release-branch.go1.10] cmd/internal/obj/arm64: fix branch-too-far with TBZ like instructions 2018-11-02T17:45:38Z Cherry Zhang cherryyz@google.com 2018-02-17T15:31:39Z urn:sha1:ce842c532a963b08025fdfe1aa25a341ad2d6582 The compiler now emits TBZ like instructions, but the assembler's too-far-branch patch code didn't include that case. Add it. Updates #23889 Fixes #25794 Change-Id: Ib75f9250c660b9fb652835fbc83263a5d5073dc5 Reviewed-on: https://go-review.googlesource.com/94902 Run-TryBot: Cherry Zhang <cherryyz@google.com> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: David Chase <drchase@google.com> (cherry picked from commit 911839c1f462260db0f001f8e017f10f688d2270) Reviewed-on: https://go-review.googlesource.com/c/147057 Reviewed-by: Cherry Zhang <cherryyz@google.com> Run-TryBot: Dmitri Shuralyov <dmitshur@golang.org>