go, branch go1.16.2

[release-branch.go1.16] go1.16.2

2021-03-11T17:08:05Z

Change-Id: I0513a9731e0e0d57bfeda0ffab1c5787edc916f8 Reviewed-on: https://go-review.googlesource.com/c/go/+/300969 Run-TryBot: Carlos Amedee TryBot-Result: Go Bot Reviewed-by: Dmitri Shuralyov Trust: Carlos Amedee

[release-branch.go1.16] cmd/go: clarify errors for commands run outside a module

2021-03-10T21:27:07Z

The new error message tells the user what was wrong (no go.mod found) and directs them to 'go help modules', which links to tutorials. Includes test fix from CL 298794 Fixes #44746 Change-Id: I98f31fec4a8757eb1792b45491519da4c552cb0f Reviewed-on: https://go-review.googlesource.com/c/go/+/298650 Trust: Jay Conrod Run-TryBot: Jay Conrod TryBot-Result: Go Bot Reviewed-by: Bryan C. Mills (cherry picked from commit b87e9b9f68f1eb0d685fd250b3b47495710e0059) Reviewed-on: https://go-review.googlesource.com/c/go/+/298929

[release-branch.go1.16] cmd/go: don't report missing std import errors for tidy and vendor

2021-03-10T21:25:35Z

'go mod tidy' and 'go mod vendor' normally report errors when a package can't be imported, even if the import appears in a file that wouldn't be compiled by the current version of Go. These errors are common for packages introduced in higher versions of Go, like "embed" in 1.16. This change causes 'go mod tidy' and 'go mod vendor' to ignore missing package errors if the import path appears to come from the standard library because it lacks a dot in the first path element. Fixes #44793 Updates #27063 Change-Id: I61d6443e77ab95fd8c0d1514f57ef4c8885a77cc Reviewed-on: https://go-review.googlesource.com/c/go/+/298749 Trust: Jay Conrod Run-TryBot: Jay Conrod Reviewed-by: Bryan C. Mills TryBot-Result: Go Bot (cherry picked from commit 56d52e661114be60fb1893b034ac0c5976b622af) Reviewed-on: https://go-review.googlesource.com/c/go/+/298949

[release-branch.go1.16] all: merge release-branch.go1.16-security into release-branch.go1.16

2021-03-10T16:55:14Z

Change-Id: Icc8775f559b0125eae94ce4ffd4dcb4e7146a500

[release-branch.go1.16-security] go1.16.1

2021-03-10T14:25:03Z

Change-Id: I4999d72caf9462554a2a6f1d761244cafec34718 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1014541 Reviewed-by: Katie Hockman

[release-branch.go1.16-security] archive/zip: fix panic in Reader.Open

2021-03-09T17:55:16Z

When operating on a Zip file that contains a file prefixed with "../", Open(...) would cause a panic in toValidName when attempting to strip the prefixed path components. Fixes CVE-2021-27919 Change-Id: Ic755d8126cb0897e2cbbdacf572439c38dde7b35 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1004761 Reviewed-by: Filippo Valsorda Reviewed-by: Russ Cox Reviewed-by: Katie Hockman (cherry picked from commit ce22003b26eaf8e4a690757f699aae7062d41472) Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1013753 Reviewed-by: Roland Shoemaker

[release-branch.go1.16-security] encoding/xml: prevent infinite loop while decoding

2021-03-09T17:55:05Z

This change properly handles a TokenReader which returns an EOF in the middle of an open XML element. Thanks to Sam Whited for reporting this. Fixes CVE-2021-27918 Change-Id: Id02a3f3def4a1b415fa2d9a8e3b373eb6cb0f433 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1004594 Reviewed-by: Russ Cox Reviewed-by: Roland Shoemaker Reviewed-by: Filippo Valsorda (cherry picked from commit e7ce1f6746223ec7b4caa3b1ece25d9be3864710) Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1014235

[release-branch.go1.16] cmd: upgrade golang.org/x/mod to relax import path check

2021-03-03T17:59:29Z

This incorporates CL 298009, which allows leading dots in import path elements but not module path elements. Also added a test. Fixes #44647 Updates #34992 Change-Id: I2d5faabd8f7b23a7943d3f3ccb6707ab5dc2ce3c Reviewed-on: https://go-review.googlesource.com/c/go/+/297530 Trust: Jay Conrod Run-TryBot: Jay Conrod TryBot-Result: Go Bot Reviewed-by: Bryan C. Mills (cherry picked from commit 97bdac03aee805cfa54e7762037a568d85339970) Reviewed-on: https://go-review.googlesource.com/c/go/+/297912 Reviewed-by: Dmitri Shuralyov

[release-branch.go1.16] cmd/go/internal/modload: don't query when fixing canonical versions

2021-03-03T17:58:41Z

If a canonical version is passed to fixVersion when loading the main go.mod and that version don't match the module path's major version suffix, don't call Query. Query doesn't return a useful error in this case when the path is malformed, for example, when it doens't have a dot in the first path element. It's better to report the major version mismatch error. Fixes #44496 Change-Id: I97b1f64aee894fa0db6fb637aa03a51357ee782c Reviewed-on: https://go-review.googlesource.com/c/go/+/296590 Trust: Jay Conrod Run-TryBot: Jay Conrod TryBot-Result: Go Bot Reviewed-by: Bryan C. Mills (cherry picked from commit 5fafc0bbd4819578e58e5b9163981b0074ab0b01) Reviewed-on: https://go-review.googlesource.com/c/go/+/297989 Reviewed-by: Dmitri Shuralyov

[release-branch.go1.16] cmd: upgrade golang.org/x/mod to fix go.mod parser

2021-03-03T17:58:27Z

modfile.Parse passed an empty string to the VersionFixer for the module path. This caused errors for v2+ versions. For #44496 Change-Id: I13b86b6ecf6815c4bc9a96ec0668284c9228c205 Reviewed-on: https://go-review.googlesource.com/c/go/+/296131 Trust: Jay Conrod Run-TryBot: Jay Conrod TryBot-Result: Go Bot Reviewed-by: Bryan C. Mills (cherry picked from commit bcac57f89c0ec609e6fbebcbcd42bb73fdaef2f0) Reviewed-on: https://go-review.googlesource.com/c/go/+/297990 Reviewed-by: Dmitri Shuralyov