go, branch go1.16.5

[release-branch.go1.16] go1.16.5

2021-06-03T17:14:44Z

Change-Id: Ibe47050481a01ec434f87db31048981e21fba1c3 Reviewed-on: https://go-review.googlesource.com/c/go/+/324552 Run-TryBot: David Chase Trust: David Chase Reviewed-by: Carlos Amedee TryBot-Result: Go Bot

[release-branch.go1.16] net: don't rely on system hosts in TestCVE202133195

2021-06-02T23:09:01Z

Also don't unnecessarily deref the error return. Updates #46504 Fixes #46530 Change-Id: I22d14ac76776f8988fa0774bdcb5fcd801ce0185 Reviewed-on: https://go-review.googlesource.com/c/go/+/324190 Trust: David Chase Trust: Damien Neil Run-TryBot: David Chase TryBot-Result: Go Bot Reviewed-by: Damien Neil (cherry picked from commit dd7ba3ba2c860c40be6d70b63d4a678449cae80f) Reviewed-on: https://go-review.googlesource.com/c/go/+/324332 Run-TryBot: Damien Neil Reviewed-by: Ian Lance Taylor

[release-branch.go1.16] cmd/go: error out of 'go mod tidy' if the go version is newer than supported

2021-06-02T19:00:32Z

This backports the test from CL 319669, but — because of extensive changes to the module loader during the Go 1.17 cycle — the implementation is entirely different. (This implementation is based on the addGoStmt function present in init.go in the 1.16 branch.) Fixes #46144 Updates #46142 Change-Id: Ib7a0a159e53cbe476be6aa9a050add10cc750dec Reviewed-on: https://go-review.googlesource.com/c/go/+/319671 Trust: Bryan C. Mills Run-TryBot: Bryan C. Mills TryBot-Result: Go Bot Reviewed-by: Jay Conrod

[release-branch.go1.16] cmd/go: use a real Go version in the go.mod files in TestScript/mod_readonly

2021-06-02T19:00:23Z

For some reason, the go.mod file added to this test in CL 147281 lists 'go 1.20' instead of the version that was actually current when the go.mod file was added. That causes the test's behavior to change under lazy loading, because 1.20 is above the threshold to trigger lazy-loading invariants (1.17). This backports CL 314049 to Go 1.16 in order to fix a spurious test failure in a subsequent change. For #46144 Updates #46142 Updates #36460 Change-Id: I92400996cb051ab30e99bfffafd91ff32a1e7087 Reviewed-on: https://go-review.googlesource.com/c/go/+/314049 Trust: Bryan C. Mills Run-TryBot: Bryan C. Mills Reviewed-by: Michael Matloob TryBot-Result: Go Bot Reviewed-on: https://go-review.googlesource.com/c/go/+/319670 Reviewed-by: Jay Conrod

[release-branch.go1.16] cmd/go: in 'go mod download' without args, don't save module zip sums

2021-06-02T18:51:58Z

'go mod download' without arguments is frequently used to populate the module cache. It tends to fetch a lot of extra files (for modules in the build list that aren't needed to build packages in the main module). It's annoying when sums are written for these extra files. 'go mod download mod@version' will still write sums for specific modules in the build list. 'go mod download all' still has the previous behavior. For now, all invocations of 'go mod download' still update go.mod and go.sum with changes needed to load the build list (1.15 behavior). Fixes #46214 Change-Id: I9e17d18a7466ac7271a0e1a2b663f6b3cb168c97 Reviewed-on: https://go-review.googlesource.com/c/go/+/318629 Trust: Jay Conrod Reviewed-by: Bryan C. Mills (cherry picked from commit 4fb10b2118cb16445f2d089f79beb3d32db3db12) Reviewed-on: https://go-review.googlesource.com/c/go/+/321892 Run-TryBot: Jay Conrod TryBot-Result: Go Bot

[release-branch.go1.16] cmd/link/internal: fix use of DynlinkingGo with ppc64le trampolines

2021-06-02T18:44:27Z

When creating programs with large text sections on ppc64le, trampolines are needed for calls that are too far; however they are not created if the code is generated such that the TOC register r2 is initialized and maintained in the code because then the external linker can create the trampolines. Previously the function DynlinkingGo was used to determine this but in the case where plugins are used, this could return true even though r2 is not valid. To fix this problem I've added a new function r2Valid which returns true when the build options indicate that the r2 is initialized and maintained. Because of the ways that DynlinkingGo is used I wanted to maintain its previous behavior. Fixes #45927 Change-Id: I6d902eba6ad41757aa6474948b79acdbd479cb38 Reviewed-on: https://go-review.googlesource.com/c/go/+/315289 Trust: Lynn Boger Run-TryBot: Lynn Boger Reviewed-by: Cherry Zhang TryBot-Result: Go Bot (cherry picked from commit 9ed736ac2a99aa2e7ef7d8bed3b01ca8b20a6f80) Reviewed-on: https://go-review.googlesource.com/c/go/+/316750 Run-TryBot: Dmitri Shuralyov Reviewed-by: Cherry Mui

[release-branch.go1.16] net/http: prevent infinite wait during TestMissingStatusNoPanic

2021-06-02T01:35:23Z

If the client request never makes it to the server, the outstanding accept is never broken. Change the test to always close the listening socket when the client request completes. Updates #45358 Change-Id: I744a91dfa11704e7e528163d7669c394e90456dc Reviewed-on: https://go-review.googlesource.com/c/go/+/319275 Trust: Heschi Kreinick Reviewed-by: Bryan C. Mills (cherry picked from commit c0a7ecfae775a9d50d338e8123fac32a5d04308c) Reviewed-on: https://go-review.googlesource.com/c/go/+/320190 Reviewed-by: Damien Neil Run-TryBot: Bryan C. Mills TryBot-Result: Go Bot

[release-branch.go1.16] net/http/httputil: always remove hop-by-hop headers

2021-05-28T13:53:35Z

Previously, we'd fail to remove the Connection header from a request like this: Connection: Connection: x-header Updates #46313 Fixes #46315 Fixes CVE-2021-33197 Change-Id: Ie3009e926ceecfa86dfa6bcc6fe14ff01086be7d Reviewed-on: https://go-review.googlesource.com/c/go/+/321929 Run-TryBot: Filippo Valsorda Reviewed-by: Katie Hockman Trust: Katie Hockman Trust: Filippo Valsorda TryBot-Result: Go Bot (cherry picked from commit 950fa11c4cb01a145bb07eeb167d90a1846061b3) Reviewed-on: https://go-review.googlesource.com/c/go/+/323090

[release-branch.go1.16] archive/zip: only preallocate File slice if reasonably sized

2021-05-28T13:53:29Z

Since the number of files in the EOCD record isn't validated, it isn't safe to preallocate Reader.Files using that field. A malformed archive can indicate it contains up to 1 << 128 - 1 files. We can still safely preallocate the slice by checking if the specified number of files in the archive is reasonable, given the size of the archive. Thanks to the OSS-Fuzz project for discovering this issue and to Emmanuel Odeke for reporting it. Updates #46242 Fixes #46397 Fixes CVE-2021-33196 Change-Id: I3c76d8eec178468b380d87fdb4a3f2cb06f0ee76 Reviewed-on: https://go-review.googlesource.com/c/go/+/318909 Trust: Roland Shoemaker Trust: Katie Hockman Trust: Joe Tsai Run-TryBot: Roland Shoemaker TryBot-Result: Go Bot Reviewed-by: Katie Hockman Reviewed-by: Joe Tsai (cherry picked from commit 74242baa4136c7a9132a8ccd9881354442788c8c) Reviewed-on: https://go-review.googlesource.com/c/go/+/322909 Reviewed-by: Filippo Valsorda

[release-branch.go1.16] net: verify results from Lookup* are valid domain names

2021-05-27T20:29:21Z

For the methods LookupCNAME, LookupSRV, LookupMX, LookupNS, and LookupAddr check that the returned domain names are in fact valid DNS names using the existing isDomainName function. Thanks to Philipp Jeitner and Haya Shulman from Fraunhofer SIT for reporting this issue. Updates #46241 Fixes #46357 Fixes CVE-2021-33195 Change-Id: I47a4f58c031cb752f732e88bbdae7f819f0af4f3 Reviewed-on: https://go-review.googlesource.com/c/go/+/323131 Trust: Roland Shoemaker Run-TryBot: Roland Shoemaker TryBot-Result: Go Bot Reviewed-by: Filippo Valsorda Reviewed-by: Katie Hockman (cherry picked from commit cdcd02842da7c004efd023881e3719105209c908) Reviewed-on: https://go-review.googlesource.com/c/go/+/323270