Fork of Go programming language with my patches. http://git.kilabit.info/go/atom?h=go1.15.1 2020-09-01T14:08:32Z 2020-09-01T14:08:32Z Dmitri Shuralyov dmitshur@golang.org 2020-09-01T12:58:41Z urn:sha1:01af46f7cc419da19f8a6a444da8f6022c016803 Change-Id: I4103c524ce46d50215af5097460e514609b513c6 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/835373 Reviewed-by: Filippo Valsorda <valsorda@google.com> 2020-09-01T12:31:45Z Roberto Clapis roberto@golang.org 2020-08-26T06:53:03Z urn:sha1:eb07103a083237414145a45f029c873d57037e06 This CL ensures that responses served via CGI and FastCGI have a Content-Type header based on the content of the response if not explicitly set by handlers. If the implementers of the handler did not explicitly specify a Content-Type both CGI implementations would default to "text/html", potentially causing cross-site scripting. Thanks to RedTeam Pentesting GmbH for reporting this. Fixes CVE-2020-24553 Change-Id: I82cfc396309b5ab2e8d6e9a87eda8ea7e3799473 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/823217 Reviewed-by: Russ Cox <rsc@google.com> (cherry picked from commit 23d675d07fdc56aafd67c0a0b63d5b7e14708ff0) Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/835311 Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> 2020-08-11T19:01:57Z Andrew Bonventre andybons@golang.org 2020-08-11T18:06:24Z urn:sha1:0fdc3801bfd43d6f55e4ea5bf095e1ea55430339 Change-Id: Id2262ff66e750e798ebe7ecfcc13d2653cb85b71 Reviewed-on: https://go-review.googlesource.com/c/go/+/247905 Run-TryBot: Andrew Bonventre <andybons@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> 2020-08-11T17:05:57Z Andrew andybons@golang.org 2020-08-11T15:03:03Z urn:sha1:cbc69e89b17188b3633bafa9d6e6c44f7f1a2ec0 5c7748dc9d doc/go1.15: encoding/json's CL 191783 was reverted 5ff5b3c557 doc/go1.15: remove draft notice 5ae1d62ee3 CONTRIBUTORS: update for the Go 1.15 release 7ad776dda5 doc/go1.15: document crypto/tls permanent error a93a4c1780 runtime: make nanotime1 reentrant Updates #40697 Change-Id: Ie39896ee6304544cc9e9c1938bdf176f1dcf8766 Reviewed-on: https://go-review.googlesource.com/c/go/+/247900 Run-TryBot: Andrew Bonventre <andybons@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org> Reviewed-by: Carlos Amedee <carlos@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> 2020-08-07T14:56:02Z Alexander Rakoczy alex@golang.org 2020-08-06T20:23:54Z urn:sha1:c4f8cb43caf0bcd0c730d7d04a3fce129393cecc Change-Id: I2fe55c3f0328291b7d602cfae83d3f0b72cee14c Reviewed-on: https://go-review.googlesource.com/c/go/+/247238 Run-TryBot: Alexander Rakoczy <alex@golang.org> Reviewed-by: Carlos Amedee <carlos@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> 2020-08-06T19:39:24Z Alexander Rakoczy alex@golang.org 2020-08-06T19:22:07Z urn:sha1:fd4126ae7fb42424dd22e52e001e3445a45c2b56 ba9e108899 cmd: update golang.org/x/xerrors 027d7241ce encoding/binary: read at most MaxVarintLen64 bytes in ReadUvarint 6f08e89ec3 cmd/go: fix error stacks when there are scanner errors f235275097 net/http: fix cancelation of requests with a readTrackingBody wrapper f92337422e runtime/race: fix ppc64le build e49b2308a5 runtime/race: rebuild some .syso files to remove getauxval dependency 10523c0efb doc/go1.15: fix a few trivial inconsistencies 7388956b76 cmd/cgo: fix mangling of enum and union types b56791cdea runtime: validate candidate searchAddr in pageAlloc.find 10374e2435 testing: fix quotation marks 7f86080476 cmd/compile: don't addLocalInductiveFacts if there is no direct edge from if block to phi block 54e75e8f9d crypto/ed25519: remove s390x KDSA implementation 6b4dcf19fa runtime: hold sched.lock over globrunqputbatch in runqputbatch 85afa2eb19 runtime: ensure startm new M is consistently visible to checkdead c4fed25553 cmd/compile: add floating point load+op operations to addressing modes pass 19a932ceb8 cmd/link: don't mark shared library symbols reachable unconditionally 8696ae82c9 syscall: use correct file descriptor in dup2 fallback path 9591515f51 runtime, sync: add copyright headers to new files 074f2d800f doc/go1.15: surface the crypto/x509 CommonName deprecation note Change-Id: I0bfcff1fc2de723960909d9dda718fee6abc2912 2020-08-06T19:17:13Z Alexander Rakoczy alex@golang.org 2020-08-06T18:57:38Z urn:sha1:ba9e10889976025ee1d027db6b1cad383ec56de8 This pulls in CL 247217. Fixes #40573 Change-Id: I89eeebb5da9a4668adc6b5c5155651e5da421d59 Reviewed-on: https://go-review.googlesource.com/c/go/+/247186 Run-TryBot: Alexander Rakoczy <alex@golang.org> Reviewed-by: Bryan C. Mills <bcmills@google.com> TryBot-Result: Gobot Gobot <gobot@golang.org> 2020-08-06T17:24:10Z Katie Hockman katie@golang.org 2020-08-04T15:45:32Z urn:sha1:027d7241ce050d197e7fabea3d541ffbe3487258 This CL ensures that ReadUvarint consumes only a limited amount of input (instead of an unbounded amount). On some inputs, ReadUvarint could read an arbitrary number of bytes before deciding to return an overflow error. After this CL, ReadUvarint returns that same overflow error sooner, after reading at most MaxVarintLen64 bytes. Fix authored by Robert Griesemer and Filippo Valsorda. Thanks to Diederik Loerakker, Jonny Rhea, Raúl Kripalani, and Preston Van Loon for reporting this. Fixes #40618 Fixes CVE-2020-16845 Change-Id: Ie0cb15972f14c38b7cf7af84c45c4ce54909bb8f Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/812099 Reviewed-by: Filippo Valsorda <valsorda@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/247120 Run-TryBot: Katie Hockman <katie@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Alexander Rakoczy <alex@golang.org> 2020-08-05T18:24:52Z Michael Matloob matloob@golang.org 2020-08-04T17:24:37Z urn:sha1:6f08e89ec3280bf6577c2bdb01243cbeeb1a259d After golang.org/cl/228784 setLoadPackageDataError tries to decide whether an error is caused by an imported package or an importing package by examining the error itself to decide. Ideally, the errors themselves would belong to a specific interface or some other property to make it unambiguous that they were import errors. Since they don't, setLoadPackageDataError just checked for nogoerrors and classified all other errors as import errors. But it missed scanner errors which are also "caused" by the imported package. Fixes #40544 Change-Id: I39159bfdc286bee73697decd07b8aa9451f2db06 Reviewed-on: https://go-review.googlesource.com/c/go/+/246717 Run-TryBot: Michael Matloob <matloob@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Bryan C. Mills <bcmills@google.com> 2020-08-04T19:27:13Z Damien Neil dneil@google.com 2020-07-28T19:49:52Z urn:sha1:f235275097eb68b36d171908cea6a0be23351a94 Use the original *Request in the reqCanceler map, not the transient wrapper created to handle body rewinding. Change the key of reqCanceler to a struct{*Request}, to make it more difficult to accidentally use the wrong request as the key. Fixes #40453. Change-Id: I4e61ee9ff2c794fb4c920a3a66c9a0458693d757 Reviewed-on: https://go-review.googlesource.com/c/go/+/245357 Run-TryBot: Damien Neil <dneil@google.com> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Russ Cox <rsc@golang.org>