go, branch go1.20.12

[release-branch.go1.20] go1.20.12

2023-12-05T18:12:58Z

Change-Id: I79ae17037f1b4a126d9ca04106b7943c0961d967 Reviewed-on: https://go-review.googlesource.com/c/go/+/547435 Reviewed-by: Dmitri Shuralyov LUCI-TryBot-Result: Go LUCI Reviewed-by: Carlos Amedee Auto-Submit: Gopher Robot

[release-branch.go1.20] net/http: limit chunked data overhead

2023-12-05T17:18:16Z

The chunked transfer encoding adds some overhead to the content transferred. When writing one byte per chunk, for example, there are five bytes of overhead per byte of data transferred: "1\r\nX\r\n" to send "X". Chunks may include "chunk extensions", which we skip over and do not use. For example: "1;chunk extension here\r\nX\r\n". A malicious sender can use chunk extensions to add about 4k of overhead per byte of data. (The maximum chunk header line size we will accept.) Track the amount of overhead read in chunked data, and produce an error if it seems excessive. Updates #64433 Fixes #64434 Fixes CVE-2023-39326 Change-Id: I40f8d70eb6f9575fb43f506eb19132ccedafcf39 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2076135 Reviewed-by: Tatiana Bradley Reviewed-by: Roland Shoemaker (cherry picked from commit 3473ae72ee66c60744665a24b2fde143e8964d4f) Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2095407 Run-TryBot: Roland Shoemaker TryBot-Result: Security TryBots Reviewed-by: Damien Neil Reviewed-on: https://go-review.googlesource.com/c/go/+/547355 Reviewed-by: Dmitri Shuralyov LUCI-TryBot-Result: Go LUCI

[release-branch.go1.20] crypto/rand,runtime: revert "switch RtlGenRandom for ProcessPrng"

2023-11-29T20:58:26Z

This reverts CL 545356. Reason for revert: 1.20 still supports Windows versions before ProcessPrng was introduced. Change-Id: I224b8c4e7d0ca9ad5e733819b24dd92d14e61ab8 Reviewed-on: https://go-review.googlesource.com/c/go/+/545995 Reviewed-by: Dmitri Shuralyov TryBot-Bypass: Dmitri Shuralyov TryBot-Result: Gopher Robot Run-TryBot: Dmitri Shuralyov Reviewed-by: Dmitri Shuralyov Auto-Submit: Dmitri Shuralyov

[release-branch.go1.20] cmd/compile: fix findIndVar so it does not match disjointed loop headers

2023-11-28T20:11:58Z

Fix #63983 parseIndVar, prove and maybe more are on the assumption that the loop header is a single block. This can be wrong, ensure we don't match theses cases we don't know how to handle. In the future we could update them so that they know how to handle such cases but theses cases seems rare so I don't think the value would be really high. We could also run a loop canonicalization pass first which could handle this. The repro case looks weird because I massaged it so it would crash with the previous compiler. Change-Id: I4aa8afae9e90a17fa1085832250fc1139c97faa6 Reviewed-on: https://go-review.googlesource.com/c/go/+/539977 Reviewed-by: Heschi Kreinick Reviewed-by: Keith Randall Reviewed-by: Keith Randall LUCI-TryBot-Result: Go LUCI (cherry picked from commit 8b4e1259d0e82c8fe38a1456f997a4e9d63573a2) Reviewed-on: https://go-review.googlesource.com/c/go/+/539936 Run-TryBot: Dmitri Shuralyov Reviewed-by: Mauri de Souza Meneguzzo TryBot-Bypass: Dmitri Shuralyov Reviewed-by: Dmitri Shuralyov Reviewed-by: Jorropo Reviewed-by: Michael Knyszek TryBot-Result: Gopher Robot Reviewed-by: Dmitri Shuralyov Auto-Submit: Dmitri Shuralyov

[release-branch.go1.20] crypto/rand,runtime: switch RtlGenRandom for ProcessPrng

2023-11-28T17:48:50Z

RtlGenRandom is a semi-undocumented API, also known as SystemFunction036, which we use to generate random data on Windows. It's definition, in cryptbase.dll, is an opaque wrapper for the documented API ProcessPrng. Instead of using RtlGenRandom, switch to using ProcessPrng, since the former is simply a wrapper for the latter, there should be no practical change on the user side, other than a minor change in the DLLs we load. Updates #53192 Fixes #64412 Change-Id: Ie6891bf97b1d47f5368cccbe92f374dba2c2672a Reviewed-on: https://go-review.googlesource.com/c/go/+/536235 LUCI-TryBot-Result: Go LUCI Reviewed-by: Quim Muntal Auto-Submit: Roland Shoemaker Reviewed-by: Dmitri Shuralyov (cherry picked from commit 693def151adff1af707d82d28f55dba81ceb08e1) Reviewed-on: https://go-review.googlesource.com/c/go/+/545356 Auto-Submit: Dmitri Shuralyov

[release-branch.go1.20] path/filepath: consider \\?\c: as a volume on Windows

2023-11-28T16:59:25Z

While fixing several bugs in path handling on Windows, beginning with \\?\. Prior to #540277, VolumeName considered the first path component after the \\?\ prefix to be part of the volume name. After, it considered only the \\? prefix to be the volume name. Restore the previous behavior. For #64028. Fixes #64040. Change-Id: I6523789e61776342800bd607fb3f29d496257e68 Reviewed-on: https://go-review.googlesource.com/c/go/+/541175 LUCI-TryBot-Result: Go LUCI Reviewed-by: Roland Shoemaker (cherry picked from commit eda42f7c60adab26ed1a340414c726c4bf46b1f7) Reviewed-on: https://go-review.googlesource.com/c/go/+/541520 Auto-Submit: Dmitri Shuralyov TryBot-Result: Gopher Robot Run-TryBot: Dmitri Shuralyov Reviewed-by: Damien Neil Reviewed-by: Dmitri Shuralyov

[release-branch.go1.20] cmd/go/internal/vcs: error out if the requested repo does not support a secure protocol

2023-11-27T21:12:47Z

Updates #63845. Fixes #63972. Change-Id: If86d6b13d3b55877b35c087112bd76388c9404b8 Reviewed-on: https://go-review.googlesource.com/c/go/+/539321 Reviewed-by: Michael Matloob LUCI-TryBot-Result: Go LUCI Reviewed-by: Roland Shoemaker Auto-Submit: Bryan Mills (cherry picked from commit be26ae18caf7ddffca4073333f80d0d9e76483c3) Reviewed-on: https://go-review.googlesource.com/c/go/+/540335 Auto-Submit: Dmitri Shuralyov Reviewed-by: Dmitri Shuralyov

[release-branch.go1.20] cmd/go/internal/modfetch/codehost: set core.longpaths in Git repos on Windows

2023-11-07T20:45:57Z

This setting appears to be needed to avoid “Filename too long” errors when downloading modules from repos with long branch names, particularly if the path to the module cache is already fairly long (as may be the case in CI systems and in tests of cmd/go itself). Fixes #63988. Change-Id: I3aa89ea872b29eb0460c8a8afc94f182a68982fd Reviewed-on: https://go-review.googlesource.com/c/go/+/482819 Reviewed-by: Russ Cox Reviewed-by: Heschi Kreinick Run-TryBot: Bryan Mills Auto-Submit: Bryan Mills TryBot-Result: Gopher Robot (cherry picked from commit 0c89487b1d9bac744091a5ff2a09541c71b66b85) Reviewed-on: https://go-review.googlesource.com/c/go/+/539278 LUCI-TryBot-Result: Go LUCI

[release-branch.go1.20] go1.20.11

2023-11-07T17:55:05Z

Change-Id: I7c978b96ef8fff9637033ce130c12051c670d476 Reviewed-on: https://go-review.googlesource.com/c/go/+/540516 TryBot-Bypass: Heschi Kreinick Reviewed-by: Heschi Kreinick Auto-Submit: Gopher Robot Reviewed-by: Cherry Mui

[release-branch.go1.20] path/filepath: fix various issues in parsing Windows paths

2023-11-07T17:04:58Z

On Windows, A root local device path is a path which begins with \\?\ or \??\. A root local device path accesses the DosDevices object directory, and permits access to any file or device on the system. For example \??\C:\foo is equivalent to common C:\foo. The Clean, IsAbs, IsLocal, and VolumeName functions did not recognize root local device paths beginning with \??\. Clean could convert a rooted path such as \a\..\??\b into the root local device path \??\b. It will now convert this path into .\??\b. IsAbs now correctly reports paths beginning with \??\ as absolute. IsLocal now correctly reports paths beginning with \??\ as non-local. VolumeName now reports the \??\ prefix as a volume name. Join(`\`, `??`, `b`) could convert a seemingly innocent sequence of path elements into the root local device path \??\b. It will now convert this to \.\??\b. In addition, the IsLocal function did not correctly detect reserved names in some cases: - reserved names followed by spaces, such as "COM1 ". - "COM" or "LPT" followed by a superscript 1, 2, or 3. IsLocal now correctly reports these names as non-local. For #63713 Fixes #63714 Fixes CVE-2023-45283 Fixes CVE-2023-45284 Change-Id: I446674a58977adfa54de7267d716ac23ab496c54 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2040691 Reviewed-by: Roland Shoemaker Reviewed-by: Tatiana Bradley Run-TryBot: Damien Neil Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2072597 Reviewed-by: Cherry Mui Reviewed-on: https://go-review.googlesource.com/c/go/+/539276 Auto-Submit: Heschi Kreinick LUCI-TryBot-Result: Go LUCI