go, branch go1.20.11

[release-branch.go1.20] go1.20.11

2023-11-07T17:55:05Z

Change-Id: I7c978b96ef8fff9637033ce130c12051c670d476 Reviewed-on: https://go-review.googlesource.com/c/go/+/540516 TryBot-Bypass: Heschi Kreinick Reviewed-by: Heschi Kreinick Auto-Submit: Gopher Robot Reviewed-by: Cherry Mui

[release-branch.go1.20] path/filepath: fix various issues in parsing Windows paths

2023-11-07T17:04:58Z

On Windows, A root local device path is a path which begins with \\?\ or \??\. A root local device path accesses the DosDevices object directory, and permits access to any file or device on the system. For example \??\C:\foo is equivalent to common C:\foo. The Clean, IsAbs, IsLocal, and VolumeName functions did not recognize root local device paths beginning with \??\. Clean could convert a rooted path such as \a\..\??\b into the root local device path \??\b. It will now convert this path into .\??\b. IsAbs now correctly reports paths beginning with \??\ as absolute. IsLocal now correctly reports paths beginning with \??\ as non-local. VolumeName now reports the \??\ prefix as a volume name. Join(`\`, `??`, `b`) could convert a seemingly innocent sequence of path elements into the root local device path \??\b. It will now convert this to \.\??\b. In addition, the IsLocal function did not correctly detect reserved names in some cases: - reserved names followed by spaces, such as "COM1 ". - "COM" or "LPT" followed by a superscript 1, 2, or 3. IsLocal now correctly reports these names as non-local. For #63713 Fixes #63714 Fixes CVE-2023-45283 Fixes CVE-2023-45284 Change-Id: I446674a58977adfa54de7267d716ac23ab496c54 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2040691 Reviewed-by: Roland Shoemaker Reviewed-by: Tatiana Bradley Run-TryBot: Damien Neil Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2072597 Reviewed-by: Cherry Mui Reviewed-on: https://go-review.googlesource.com/c/go/+/539276 Auto-Submit: Heschi Kreinick LUCI-TryBot-Result: Go LUCI

[release-branch.go1.20] net/http: pull http2 underflow fix from x/net/http2

2023-10-30T21:11:06Z

After CL 534295 was merged to fix a CVE it introduced an underflow when we try to decrement sc.curHandlers in handlerDone. Pull in a fix from x/net/http2: http2: fix underflow in http2 server push https://go-review.googlesource.com/c/net/+/535595 For #63511 Fixes #63740 Change-Id: I5c678ce7dcc53635f3ad5e4999857cb120dfc1ab GitHub-Last-Rev: 587ffa3cafbb9da6bc82ba8a5b83313f81e5c89b GitHub-Pull-Request: golang/go#63561 Reviewed-on: https://go-review.googlesource.com/c/go/+/535575 Run-TryBot: Mauri de Souza Meneguzzo Reviewed-by: Dmitri Shuralyov Reviewed-by: Dmitri Shuralyov Reviewed-by: David Chase Auto-Submit: Dmitri Shuralyov TryBot-Result: Gopher Robot (cherry picked from commit 0046c1414c4910dfe54abfcdbe18e565dd5a60f6) Reviewed-on: https://go-review.googlesource.com/c/go/+/538095 LUCI-TryBot-Result: Go LUCI Reviewed-by: Cherry Mui

[release-branch.go1.20] cmd/link: split text sections for arm 32-bit

2023-10-12T22:37:08Z

This CL is a roll-forward (tweaked slightly) of CL 467715, which turned on text section splitting for GOARCH=arm. The intent is to avoid recurrent problems with external linking where there is a disagreement between the Go linker and the external linker over whether a given branch will reach. In the past our approach has been to tweak the reachability calculations slightly to try to work around potential linker problems, but this hasn't proven to be very robust; section splitting seems to offer a better long term fix. Updates #58425. Fixes #63316. Change-Id: I7372d41abce84097906a3d0805b6b9c486f345d6 Reviewed-on: https://go-review.googlesource.com/c/go/+/531795 Reviewed-by: Cherry Mui Run-TryBot: Than McIntosh TryBot-Result: Gopher Robot (cherry picked from commit 1e690409206ff97330b5a91517d453fc5129bab2) Reviewed-on: https://go-review.googlesource.com/c/go/+/532097 Auto-Submit: Dmitri Shuralyov

[release-branch.go1.20] all: tidy dependency versioning after release

2023-10-10T19:19:46Z

Done with: go get golang.org/x/net@internal-branch.go1.20-vendor go mod tidy go mod vendor go generate net/http # zero diff since CL 534255 already did this For #63417. For #63426. For CVE-2023-39325. Change-Id: Ib258e0d8165760a1082e02c2f4c5ce7d2a3c3c90 Reviewed-on: https://go-review.googlesource.com/c/go/+/534297 Auto-Submit: Dmitri Shuralyov Reviewed-by: Dmitri Shuralyov Reviewed-by: Michael Pratt TryBot-Bypass: Dmitri Shuralyov

[release-branch.go1.20] go1.20.10

2023-10-10T16:26:21Z

Change-Id: I328fce7b2411092a066ee32dd77f18ec5744e707 Reviewed-on: https://go-review.googlesource.com/c/go/+/534336 Reviewed-by: Dmitri Shuralyov Commit-Queue: Gopher Robot Reviewed-by: Heschi Kreinick Auto-Submit: Gopher Robot TryBot-Bypass: Dmitri Shuralyov Reviewed-by: Michael Pratt

[release-branch.go1.20] net/http: regenerate h2_bundle.go

2023-10-10T16:18:02Z

Pull in a security fix from x/net/http2: http2: limit maximum handler goroutines to MaxConcurrentStreamso For #63417 Fixes #63426 Fixes CVE-2023-39325 Change-Id: I6e32397323cd9b4114c990fcc9d19557a7f5f619 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2047401 Reviewed-by: Tatiana Bradley TryBot-Result: Security TryBots Run-TryBot: Damien Neil Reviewed-by: Ian Cottrell Reviewed-on: https://go-review.googlesource.com/c/go/+/534255 Reviewed-by: Dmitri Shuralyov Reviewed-by: Damien Neil TryBot-Bypass: Dmitri Shuralyov Reviewed-by: Michael Pratt Auto-Submit: Dmitri Shuralyov

[release-branch.go1.20] go1.20.9

2023-10-05T19:28:06Z

Change-Id: Ic4eedc3dc193c335784b5a86214ea2e655e631a7 Reviewed-on: https://go-review.googlesource.com/c/go/+/533237 Reviewed-by: Dmitri Shuralyov Reviewed-by: Michael Pratt TryBot-Bypass: Michael Pratt Auto-Submit: Gopher Robot Reviewed-by: Than McIntosh

[release-branch.go1.20] cmd/compile: use absolute file name in isCgo check

2023-10-05T18:31:32Z

For #23672 Updates #63211 Fixes #63213 Fixes CVE-2023-39323 Change-Id: I4586a69e1b2560036afec29d53e53cf25e6c7352 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2032884 Reviewed-by: Matthew Dempsky Reviewed-by: Roland Shoemaker (cherry picked from commit 9b19e751918dd218035811b1ef83a8c2693b864a) Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2037629 Reviewed-by: Tatiana Bradley Run-TryBot: Roland Shoemaker Reviewed-by: Damien Neil Reviewed-on: https://go-review.googlesource.com/c/go/+/533195 Auto-Submit: Michael Pratt Reviewed-by: Ian Lance Taylor TryBot-Bypass: Michael Pratt Reviewed-by: Than McIntosh

[release-branch.go1.20] cmd/link: suppress -bind_at_load deprecation warning for ld-prime

2023-09-21T22:22:16Z

ld-prime emits a deprecation warning for -bind_at_load. The flag is needed for plugins to not deadlock (#38824) when linking with older darwin linker. It is supposedly not needed with newer linker when chained fixups are used. For now, we always pass it, and suppress the warning. Updates #61229. For #62597. Change-Id: I4b8a6f864a460c40dc38adbb533f664f7fd5343c Reviewed-on: https://go-review.googlesource.com/c/go/+/508696 Reviewed-by: Than McIntosh TryBot-Result: Gopher Robot Run-TryBot: Cherry Mui (cherry picked from commit 040dbf9c181a0e3ea9f7bd3ebe3f75acdc878aaf) Reviewed-on: https://go-review.googlesource.com/c/go/+/527798