Fork of Go programming language with my patches. http://git.kilabit.info/go/atom?h=go1.17.12 2022-07-12T20:15:34Z 2022-07-12T20:15:34Z Gopher Robot gobot@golang.org 2022-07-12T19:59:59Z urn:sha1:1ed3c127daceaffb9aadc806ba60f0b51b47421b Change-Id: I12bfc6a625d61a7a25ecdaa10c8f78953c4c3bcf Reviewed-on: https://go-review.googlesource.com/c/go/+/417178 Run-TryBot: Gopher Robot <gobot@golang.org> Auto-Submit: Gopher Robot <gobot@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Michael Knyszek <mknyszek@google.com> Reviewed-by: Heschi Kreinick <heschi@google.com> 2022-07-12T15:20:44Z Roland Shoemaker bracewell@google.com 2022-06-07T20:00:43Z urn:sha1:cd54600b866db0ad068ab8df06c7f5f6cb55c9b3 Enforce a nesting limit of 10,000 for ignored fields during decoding of messages. This prevents the possibility of triggering stack exhaustion. Fixes #53709 Updates #53615 Fixes CVE-2022-30635 Change-Id: I05103d06dd5ca3945fcba3c1f5d3b5a645e8fb0f Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1484771 Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Tatiana Bradley <tatianabradley@google.com> (cherry picked from commit 55e8f938d22bfec29cc9dc9671044c5a41d1ea9c) Reviewed-on: https://go-review.googlesource.com/c/go/+/417074 Run-TryBot: Heschi Kreinick <heschi@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Heschi Kreinick <heschi@google.com> 2022-07-12T15:20:41Z Julie Qiu julieqiu@google.com 2022-06-23T23:18:56Z urn:sha1:76f8b7304d1f7c25834e2a0cc9e88c55276c47df A limit is added to the number of path separators allowed by an input to Glob, to prevent stack exhaustion issues. Thanks to Juho Nurminen of Mattermost who reported the issue. Fixes #53713 Updates #53416 Fixes CVE-2022-30632 Change-Id: I1b9fd4faa85411a05dbc91dceae1c0c8eb021f07 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1498176 Reviewed-by: Roland Shoemaker <bracewell@google.com> (cherry picked from commit d182a6d1217fd0d04c9babfa9a7ccd3515435c39) Reviewed-on: https://go-review.googlesource.com/c/go/+/417073 Reviewed-by: Heschi Kreinick <heschi@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Michael Knyszek <mknyszek@google.com> 2022-07-12T15:20:37Z Julie Qiu julieqiu@google.com 2022-06-23T23:17:53Z urn:sha1:8c1d8c836270615cfb5b229932269048ef59ac07 A limit is added to the number of path separators allowed by an input to Glob, to prevent stack exhaustion issues. Thanks to Juho Nurminen of Mattermost who reported a similar issue in path/filepath. Fixes #53719 Updates #53415 Fixes CVE-2022-30630 Change-Id: I5a9d02591fed90cd3d52627f5945f1301e53465d Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1497588 Reviewed-by: Roland Shoemaker <bracewell@google.com> (cherry picked from commit fdccc5d7bd0f276d0a8de3a818ca844f0bed5d97) Reviewed-on: https://go-review.googlesource.com/c/go/+/417072 Reviewed-by: Heschi Kreinick <heschi@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Michael Knyszek <mknyszek@google.com> 2022-07-12T15:20:33Z Tatiana Bradley tatiana@golang.org 2022-05-06T15:25:06Z urn:sha1:0117dee7dccbbd7803d88f65a2ce8bd686219ad3 Replace recursion with iteration in Reader.Read to avoid stack exhaustion when there are a large number of files. Fixes CVE-2022-30631 Fixes #53717 Updates #53168 Change-Id: I47d8afe3f2d40b0213ab61431df9b221794dbfe0 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1455673 Reviewed-by: Roland Shoemaker <bracewell@google.com> Reviewed-by: Julie Qiu <julieqiu@google.com> (cherry picked from commit cf498969c8a0bae9d7a24b98fc1f66c824a4775d) Reviewed-on: https://go-review.googlesource.com/c/go/+/417071 Reviewed-by: Heschi Kreinick <heschi@google.com> Run-TryBot: Michael Knyszek <mknyszek@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> 2022-07-12T15:20:29Z Roland Shoemaker bracewell@google.com 2022-06-15T17:43:05Z urn:sha1:ba8788ebcead55e99e631c6a1157ad7b35535d11 Limit nested parsing to 100,000, which prevents stack exhaustion when parsing deeply nested statements, types, and expressions. Also limit the scope depth to 1,000 during object resolution. Thanks to Juho Nurminen of Mattermost for reporting this issue. Fixes #53707 Updates #53616 Fixes CVE-2022-1962 Change-Id: I4d7b86c1d75d0bf3c7af1fdea91582aa74272c64 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1491025 Reviewed-by: Russ Cox <rsc@google.com> Reviewed-by: Damien Neil <dneil@google.com> (cherry picked from commit 6a856f08d58e4b6705c0c337d461c540c1235c83) Reviewed-on: https://go-review.googlesource.com/c/go/+/417070 Reviewed-by: Heschi Kreinick <heschi@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Michael Knyszek <mknyszek@google.com> 2022-07-12T15:20:25Z Roland Shoemaker roland@golang.org 2022-03-29T22:52:09Z urn:sha1:2678d0c957193dceef336c969a9da74dd716a827 Prevent exhausting the stack limit when unmarshalling extremely deeply nested structures into nested types. Fixes #53715 Updates #53611 Fixes CVE-2022-30633 Change-Id: Ic6c5d41674c93cfc9a316135a408db9156d39c59 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1421319 Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Julie Qiu <julieqiu@google.com> (cherry picked from commit ebee00a55e28931b2cad0e76207a73712b000432) Reviewed-on: https://go-review.googlesource.com/c/go/+/417069 Reviewed-by: Heschi Kreinick <heschi@google.com> Run-TryBot: Michael Knyszek <mknyszek@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> 2022-07-12T15:20:21Z Roland Shoemaker roland@golang.org 2022-03-29T01:41:26Z urn:sha1:58facfbe7db2fbb9afed794b281a70bdb12a60ae Prevents exhausting the stack limit in _incredibly_ deeply nested structures. Fixes #53711 Updates #53614 Fixes CVE-2022-28131 Change-Id: I47db4595ce10cecc29fbd06afce7b299868599e6 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1419912 Reviewed-by: Julie Qiu <julieqiu@google.com> Reviewed-by: Damien Neil <dneil@google.com> (cherry picked from commit 9278cb78443d2b4deb24cbb5b61c9ba5ac688d49) Reviewed-on: https://go-review.googlesource.com/c/go/+/417068 TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Heschi Kreinick <heschi@google.com> Run-TryBot: Michael Knyszek <mknyszek@google.com> 2022-07-12T14:51:39Z Damien Neil dneil@google.com 2022-06-17T17:09:45Z urn:sha1:ed2f33e1a7e0d18f61bd56f7ee067331d612c27e ReverseProxy makes a distinction between nil and zero-length header values. Avoid losing nil-ness when cloning a request. Thanks to Christian Mehlmauer for discovering this. For #53423 For CVE-2022-32148 Fixes #53620 Change-Id: Ice369cdb4712e2d62e25bb881b080847aa4801f5 Reviewed-on: https://go-review.googlesource.com/c/go/+/412857 Reviewed-by: Ian Lance Taylor <iant@google.com> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> (cherry picked from commit b2cc0fecc2ccd80e6d5d16542cc684f97b3a9c8a) Reviewed-on: https://go-review.googlesource.com/c/go/+/415221 Reviewed-by: Heschi Kreinick <heschi@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Michael Knyszek <mknyszek@google.com> Run-TryBot: Heschi Kreinick <heschi@google.com> Reviewed-by: Michael Knyszek <mknyszek@google.com> 2022-07-12T14:50:37Z Damien Neil dneil@google.com 2022-06-01T18:17:07Z urn:sha1:d13431c37ab62f9755f705731536ff74e7165b08 Do not accept "Transfer-Encoding: \rchunked" as a valid TE header setting chunked encoding. Thanks to Zeyu Zhang (https://www.zeyu2001.com/) for identifying the issue. For #53188 For CVE-2022-1705 Fixes #53432 Change-Id: I1a16631425159267f2eca68056b057192a7edf6c Reviewed-on: https://go-review.googlesource.com/c/go/+/409874 Reviewed-by: Roland Shoemaker <roland@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> (cherry picked from commit e5017a93fcde94f09836200bca55324af037ee5f) Reviewed-on: https://go-review.googlesource.com/c/go/+/415217 Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org> Run-TryBot: Dmitri Shuralyov <dmitshur@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> TryBot-Result: Gopher Robot <gobot@golang.org>