Fork of Go programming language with my patches. http://git.kilabit.info/go/atom?h=go1.19.9 2023-05-02T17:21:05Z 2023-05-02T17:21:05Z Gopher Robot gobot@golang.org 2023-05-02T16:59:22Z urn:sha1:484330d038d060c6e4db3dc8e6ea2b811b2a44d8 Change-Id: Ib6c0fa04bf59bfaae8081927059b4860dfcf6d21 Reviewed-on: https://go-review.googlesource.com/c/go/+/491436 Auto-Submit: Gopher Robot <gobot@golang.org> Reviewed-by: Carlos Amedee <carlos@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> TryBot-Bypass: Carlos Amedee <carlos@golang.org> 2023-05-02T16:36:07Z Roland Shoemaker bracewell@google.com 2023-04-13T21:01:50Z urn:sha1:9db0e74f606b8afb28cc71d4b1c8b4ed24cabbf5 An unquoted action used as an attribute value can result in unsafe behavior if it is empty, as HTML normalization will result in unexpected attributes, and may allow attribute injection. If executing a template results in a empty unquoted attribute value, emit filterFailsafe instead. Thanks to Juho Nurminen of Mattermost for reporting this issue. For #59722 Fixes #59815 Fixes CVE-2023-29400 Change-Id: Ia38d1b536ae2b4af5323a6c6d861e3c057c2570a Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1826631 Reviewed-by: Julie Qiu <julieqiu@google.com> Run-TryBot: Roland Shoemaker <bracewell@google.com> Reviewed-by: Damien Neil <dneil@google.com> Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1851498 Reviewed-by: Roland Shoemaker <bracewell@google.com> Run-TryBot: Damien Neil <dneil@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/491357 Run-TryBot: Carlos Amedee <carlos@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> 2023-05-02T16:35:20Z Roland Shoemaker bracewell@google.com 2023-04-11T15:27:43Z urn:sha1:ce7bd33345416e6d8cac901792060591cafc2797 Rather than just a small set. Character class as defined by \s [0]. Thanks to Juho Nurminen of Mattermost for reporting this. For #59721 Fixes #59813 Fixes CVE-2023-24540 [0] https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions/Character_Classes Change-Id: I56d4fa1ef08125b417106ee7dbfb5b0923b901ba Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1821459 Reviewed-by: Julie Qiu <julieqiu@google.com> Run-TryBot: Roland Shoemaker <bracewell@google.com> Reviewed-by: Damien Neil <dneil@google.com> Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1851497 Run-TryBot: Damien Neil <dneil@google.com> Reviewed-by: Roland Shoemaker <bracewell@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/491355 Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Reviewed-by: Carlos Amedee <carlos@golang.org> TryBot-Bypass: Carlos Amedee <carlos@golang.org> Run-TryBot: Carlos Amedee <carlos@golang.org> 2023-05-02T16:31:51Z Roland Shoemaker bracewell@google.com 2023-04-13T22:40:44Z urn:sha1:e49282327b05192e46086bf25fd3ac691205fe80 Angle brackets should not appear in CSS contexts, as they may affect token boundaries (such as closing a <style> tag, resulting in injection). Instead emit filterFailsafe, matching the behavior for other dangerous characters. Thanks to Juho Nurminen of Mattermost for reporting this issue. For #59720 Fixes #59811 Fixes CVE-2023-24539 Change-Id: Iccc659c9a18415992b0c05c178792228e3a7bae4 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1826636 Reviewed-by: Julie Qiu <julieqiu@google.com> Run-TryBot: Roland Shoemaker <bracewell@google.com> Reviewed-by: Damien Neil <dneil@google.com> Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1851496 Run-TryBot: Damien Neil <dneil@google.com> Reviewed-by: Roland Shoemaker <bracewell@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/491335 Run-TryBot: Carlos Amedee <carlos@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> 2023-04-24T18:24:46Z Tero Saarni tero.saarni@gmail.com 2023-04-12T10:07:07Z urn:sha1:c3c53a2c67f6f851ef974d54db1cc0d4d0ee6f75 When server and client have mismatch in curve preference, the server will send HelloRetryRequest during TLSv1.3 PSK resumption. There was a bug introduced by Go1.19.6 or later and Go1.20.1 or later, that makes the client calculate the PSK binder hash incorrectly. Server will reject the TLS handshake by sending alert: invalid PSK binder. For #59424. Fixes #59539. Change-Id: I2ca8948474275740a36d991c057b62a13392dbb9 GitHub-Last-Rev: 1aad9bcf27f563449c1a7ed6d0dd1d247cc65713 GitHub-Pull-Request: golang/go#59425 Reviewed-on: https://go-review.googlesource.com/c/go/+/481955 Reviewed-by: Roland Shoemaker <roland@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Run-TryBot: Roland Shoemaker <roland@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org> Auto-Submit: Roland Shoemaker <roland@golang.org> (cherry picked from commit 2c70690451f1484607a9172a4c24f78ae832dcb0) Reviewed-on: https://go-review.googlesource.com/c/go/+/488075 Auto-Submit: Dmitri Shuralyov <dmitshur@google.com> Run-TryBot: Dmitri Shuralyov <dmitshur@golang.org> 2023-04-24T13:43:33Z Keith Randall khr@golang.org 2023-04-01T17:33:26Z urn:sha1:ca9947db78f4dd37052e163850ed23e8c47d7e21 Use the type of the store for the byteswap, not the type of the store's value argument. Normally when we're storing a 16-bit value, the value being stored is also typed as 16 bits. But sometimes it is typed as something smaller, usually because it is the result of an upcast from a smaller value, and that upcast needs no instructions. If the type of the store's arg is thinner than the type being stored, and the byteswap'd value uses that thinner type, and the byteswap'd value needs to be spilled & restored, that spill/restore happens using the thinner type, which causes us to lose some of the top bits of the value. Fixes #59373 Change-Id: If6ce1e8a76f18bf8e9d79871b6caa438bc3cce4d Reviewed-on: https://go-review.googlesource.com/c/go/+/481395 Reviewed-by: David Chase <drchase@google.com> Reviewed-by: Cherry Mui <cherryyz@google.com> Run-TryBot: Keith Randall <khr@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-on: https://go-review.googlesource.com/c/go/+/483177 Auto-Submit: Dmitri Shuralyov <dmitshur@google.com> 2023-04-14T18:01:07Z Ian Lance Taylor iant@golang.org 2023-03-22T20:33:14Z urn:sha1:130a7f8e8d5d3ecb7f17a741cc18e96f134fc38a If we increased the NOFILE rlimit when starting the program, restore the original rlimit when forking a child process. In CL 393354 the os package was changed to raise the open file rlimit at program start. That code is not inherently tied to the os package. This CL moves it into the syscall package. This is a backport of CLs 476096 and 476097 from trunk. For #46279 Fixes #59063 Change-Id: I9be6ecc52d4f82eb226907611aec9df808e1da84 Reviewed-on: https://go-review.googlesource.com/c/go/+/478660 TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Michael Knyszek <mknyszek@google.com> Run-TryBot: Ian Lance Taylor <iant@golang.org> Reviewed-by: David Chase <drchase@google.com> Reviewed-by: Tobias Klauser <tobias.klauser@gmail.com> 2023-04-12T20:25:00Z Junwei Zuo zuojunwei.2023@bytedance.com 2023-04-12T10:53:51Z urn:sha1:abb86e6e82ec67f7b7cecd8c6225466b25ca2814 Range statement will mutate the key and value, so we should treat them as reassigned. Fixes #59579 Change-Id: I9c6b67d938760a0c6a1d9739f2737c67af4a3a10 Reviewed-on: https://go-review.googlesource.com/c/go/+/483855 Run-TryBot: Wayne Zuo <wdvxdr@golangcn.org> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Matthew Dempsky <mdempsky@google.com> Auto-Submit: Keith Randall <khr@golang.org> Reviewed-by: Keith Randall <khr@google.com> Reviewed-by: Keith Randall <khr@golang.org> (cherry picked from commit 89567a35c11c343cf765d6fb1270e1250e50d83f) Reviewed-on: https://go-review.googlesource.com/c/go/+/484135 Run-TryBot: Matthew Dempsky <mdempsky@google.com> 2023-04-05T16:19:14Z Michael Anthony Knyszek mknyszek@google.com 2023-04-04T22:07:09Z urn:sha1:22c1d18a276a6edadfb140ad7013ed74b7ed792b This change documents the new GODEBUG settings introduced for html/template and mime/multipart, released with Go 1.19.8 and Go 1.20.3 as part of a security fix. Updates #59153. For #59269. Updates #59234. For #59271. Change-Id: I25f4d8245da3301dccccfb44da8ff1a5985392a4 Reviewed-on: https://go-review.googlesource.com/c/go/+/482535 TryBot-Result: Gopher Robot <gobot@golang.org> Auto-Submit: Michael Knyszek <mknyszek@google.com> Reviewed-by: Damien Neil <dneil@google.com> Run-TryBot: Michael Knyszek <mknyszek@google.com> 2023-04-05T15:28:06Z Michael Knyszek mknyszek@google.com 2023-04-03T20:07:11Z urn:sha1:e6130c66c87ba54b5847825ca68d221d8898ceb5 This CL changes the inliner to process transitive inlining iteratively after the AST has actually been edited, rather than recursively and immediately. This is important for handling indirect function calls correctly, because ir.reassigned walks the function body looking for reassignments; whereas previously the inlined reassignments might not have been actually added to the AST yet. Fixes #59158. This change was previously reverted as CL 481796 because the branch was frozen for release. Change-Id: I97fcd32956cc1349d87a92066e8559cb90da73b7 Reviewed-on: https://go-review.googlesource.com/c/go/+/481797 Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Michael Knyszek <mknyszek@google.com> Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>