Fork of Go programming language with my patches. http://git.kilabit.info/go/atom?h=go1.14.8 2020-09-01T14:08:43Z 2020-09-01T14:08:43Z Dmitri Shuralyov dmitshur@golang.org 2020-09-01T13:01:09Z urn:sha1:c187a3d47c41d54bd570905caad128ba947e3d03 Change-Id: Ie582b6c53c6b120c56fbdd22b0c6946dd87f093b Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/835358 Reviewed-by: Filippo Valsorda <valsorda@google.com> 2020-09-01T12:31:38Z Roberto Clapis roberto@golang.org 2020-08-26T06:53:03Z urn:sha1:8fcee8abbea1bb959c63a6944f9ddf490a97f802 This CL ensures that responses served via CGI and FastCGI have a Content-Type header based on the content of the response if not explicitly set by handlers. If the implementers of the handler did not explicitly specify a Content-Type both CGI implementations would default to "text/html", potentially causing cross-site scripting. Thanks to RedTeam Pentesting GmbH for reporting this. Fixes CVE-2020-24553 Change-Id: I82cfc396309b5ab2e8d6e9a87eda8ea7e3799473 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/823217 Reviewed-by: Russ Cox <rsc@google.com> (cherry picked from commit 23d675d07fdc56aafd67c0a0b63d5b7e14708ff0) Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/835312 Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> 2020-08-06T14:43:51Z Alexander Rakoczy alex@golang.org 2020-08-06T14:07:05Z urn:sha1:d571a77846dfee8efd076223a882915cd6cb52f4 Change-Id: Ifad33b3ca723231ef1c80ff01db90fd35e322f3d Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/814548 Reviewed-by: Katie Hockman <katiehockman@google.com> 2020-08-06T13:03:14Z Katie Hockman katie@golang.org 2020-08-04T15:45:32Z urn:sha1:51bb041f7cf17c5e8e10a7307521625437687b04 This CL ensures that ReadUvarint consumes only a limited amount of input (instead of an unbounded amount). On some inputs, ReadUvarint could read an arbitrary number of bytes before deciding to return an overflow error. After this CL, ReadUvarint returns that same overflow error sooner, after reading at most MaxVarintLen64 bytes. Fix authored by Robert Griesemer and Filippo Valsorda. Thanks to Diederik Loerakker, Jonny Rhea, Raúl Kripalani, and Preston Van Loon for reporting this. Fixes CVE-2020-16845 Change-Id: Ie0cb15972f14c38b7cf7af84c45c4ce54909bb8f Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/812099 Reviewed-by: Filippo Valsorda <valsorda@google.com> Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/812326 2020-07-16T22:23:28Z Andrew Bonventre andybons@golang.org 2020-07-16T21:41:54Z urn:sha1:edfd6f28486017dcb136cd3f3ec252706d4b326e Change-Id: If9f503098056bd86b2bf51e3297b1bcecd8453bb Reviewed-on: https://go-review.googlesource.com/c/go/+/243138 Run-TryBot: Andrew Bonventre <andybons@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org> 2020-07-16T18:22:52Z Jean de Klerk deklerk@google.com 2020-06-01T18:19:05Z urn:sha1:3445c3512b1db3915f0eaebaa4b4ee9b98d6966f This fixes an issue raised at https://github.com/golang/go/issues/38458#issuecomment-635617670 in which --- PASS and --- FAIL lines would not trigger --- CONT lines of other tests. Updates #38458. For #39308. Change-Id: I0d8cc54d682a370d0a6ea6816a11b2e462a92efe Reviewed-on: https://go-review.googlesource.com/c/go/+/235997 Run-TryBot: Emmanuel Odeke <emm.odeke@gmail.com> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Bryan C. Mills <bcmills@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/242058 Reviewed-by: Jean de Klerk <deklerk@google.com> Reviewed-by: Emmanuel Odeke <emm.odeke@gmail.com> Run-TryBot: Dmitri Shuralyov <dmitshur@golang.org> 2020-07-16T18:22:15Z Tobias Klauser tklauser@distanz.ch 2020-05-23T22:09:20Z urn:sha1:4298b46e23c0b37d9ab32eaf109b15d55d66667e The parallel chatty tests added in CL 229085 fail on the solaris-amd64-oraclerel builder, because a +NN:NN offset time zone is used. Allow for the `+` character in the corresponding regex to fix these tests. Also move the '-' to the end of the character class, so it is not interpreted as the range 9-T. Updates #38458. For #39308. Change-Id: Iec9ae82ba45d2490176f274f0dc6812666eae718 Reviewed-on: https://go-review.googlesource.com/c/go/+/234978 Run-TryBot: Tobias Klauser <tobias.klauser@gmail.com> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Ian Lance Taylor <iant@golang.org> Reviewed-on: https://go-review.googlesource.com/c/go/+/242059 Run-TryBot: Dmitri Shuralyov <dmitshur@golang.org> 2020-07-16T18:20:50Z Jean de Klerk deklerk@google.com 2020-05-04T20:06:34Z urn:sha1:2ba9d45f9cc033bfc584701f458a032aa04f89c5 In #24929, we decided to stream chatty test output. It looks like, foo_test.go:138: TestFoo/sub-1: hello from subtest 1 foo_test.go:138: TestFoo/sub-2: hello from subtest 2 In this CL, we refactor the output to be grouped by === CONT lines, preserving the old test-file-before-log-line behavior: === CONT TestFoo/sub-1 foo_test.go:138 hello from subtest 1 === CONT TestFoo/sub-2 foo_test.go:138 hello from subtest 2 This should remove a layer of verbosity from tests, and make it easier to group together related lines. It also returns to a more familiar format (the pre-streaming format), whilst still preserving the streaming feature. Updates #38458. Fixes #39308. Change-Id: Iaef94c580d69cdd541b2ef055aa004f50d72d078 Reviewed-on: https://go-review.googlesource.com/c/go/+/229085 Run-TryBot: Emmanuel Odeke <emm.odeke@gmail.com> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Bryan C. Mills <bcmills@google.com> Reviewed-by: Andrew Bonventre <andybons@golang.org> Reviewed-on: https://go-review.googlesource.com/c/go/+/242057 Reviewed-by: Jean de Klerk <deklerk@google.com> Reviewed-by: Emmanuel Odeke <emm.odeke@gmail.com> Run-TryBot: Jean de Klerk <deklerk@google.com> 2020-07-16T00:35:30Z Emmanuel T Odeke emmanuel@orijtech.com 2020-01-24T02:18:39Z urn:sha1:399ce807381f897d5ea7bdd3970017976d249738 Manually backported the subject CLs, because of lack of Gerrit "forge-author" permissions, but also because the prior cherry picks didn't apply cleanly, due to a tight relation chain. The backport comprises of: * CL 174122 * CL 216197 * CL 223963 * CL 216240 * CL 216241 Note: Due to the restrictions that we cannot retroactively introduce API changes to Go1.14.6 that weren't in Go1.14, the Conn.Validator interface (from CL 174122, CL 223963) isn't exposed, and drivers will just be inspected, for if they have an IsValid() bool method implemented. For a description of the content of each CL: * CL 174122: database/sql: process all Session Resets synchronously Adds a new interface, driver.ConnectionValidator, to allow drivers to signal they should not be used again, separatly from the session resetter interface. This is done now that the session reset is done after the connection is put into the connection pool. Previous behavior attempted to run Session Resets in a background worker. This implementation had two problems: untested performance gains for additional complexity, and failures when the pool size exceeded the connection reset channel buffer size. * CL 216197: database/sql: check conn expiry when returning to pool, not when handing it out With the original connection reuse strategy, it was possible that when a new connection was requested, the pool would wait for an an existing connection to return for re-use in a full connection pool, and then it would check if the returned connection was expired. If the returned connection expired while awaiting re-use, it would return an error to the location requestiong the new connection. The existing call sites requesting a new connection was often the last attempt at returning a connection for a query. This would then result in a failed query. This change ensures that we perform the expiry check right before a connection is inserted back in to the connection pool for while requesting a new connection. If requesting a new connection it will no longer fail due to the connection expiring. * CL 216240: database/sql: prevent Tx statement from committing after rollback It was possible for a Tx that was aborted for rollback asynchronously to execute a query after the rollback had completed on the database, which often would auto commit the query outside of the transaction. By W-locking the tx.closemu prior to issuing the rollback connection it ensures any Tx query either fails or finishes on the Tx, and never after the Tx has rolled back. * CL 216241: database/sql: on Tx rollback, retain connection if driver can reset session Previously the Tx would drop the connection after rolling back from a context cancel. Now if the driver can reset the session, keep the connection. * CL 223963 database/sql: add test for Conn.Validator interface This addresses comments made by Russ after https://golang.org/cl/174122 was merged. It addes a test for the connection validator and renames the interface to just "Validator". Updates #31480 Updates #32530 Updates #32942 Updates #34775 Fixes #39101 Change-Id: I043d2d724a367588689fd7d6f3cecb39abeb042c Reviewed-on: https://go-review.googlesource.com/c/go/+/242102 Run-TryBot: Emmanuel Odeke <emm.odeke@gmail.com> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Daniel Theophanes <kardianos@gmail.com> 2020-07-14T18:50:56Z Katie Hockman katie@golang.org 2020-07-14T18:50:56Z urn:sha1:bce174c435f531d429c36540f3a52dccb4426245 Change-Id: Ia002311f7206f11a98929361f55eb2ab765b7d5c