Fork of Go programming language with my patches. http://git.kilabit.info/go/atom?h=go1.21.8 2024-03-05T17:38:51Z 2024-03-05T17:38:51Z Gopher Robot gobot@golang.org 2024-03-05T16:59:55Z urn:sha1:63992defa823418e8ad91a39777cd671cff89894 Change-Id: I44203158172ca3e66f8ce4ab84f54c9247dacb28 Reviewed-on: https://go-review.googlesource.com/c/go/+/569256 Reviewed-by: Carlos Amedee <carlos@golang.org> Reviewed-by: Michael Knyszek <mknyszek@google.com> Auto-Submit: Gopher Robot <gobot@golang.org> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> 2024-03-05T16:51:36Z Damien Neil dneil@google.com 2024-01-16T23:37:52Z urn:sha1:bf80213b121074f4ad9b449410a4d13bae5e9be0 mime/multipart.Reader.ReadForm allows specifying the maximum amount of memory that will be consumed by the form. While this limit is correctly applied to the parsed form data structure, it was not being applied to individual header lines in a form. For example, when presented with a form containing a header line that never ends, ReadForm will continue to read the line until it runs out of memory. Limit the amount of data consumed when reading a header. Fixes CVE-2023-45290 Fixes #65389 For #65383 Change-Id: I7f9264d25752009e95f6b2c80e3d76aaf321d658 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2134435 Reviewed-by: Roland Shoemaker <bracewell@google.com> Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2173776 Reviewed-by: Carlos Amedee <amedee@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/569240 Auto-Submit: Michael Knyszek <mknyszek@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Carlos Amedee <carlos@golang.org> 2024-03-05T16:51:34Z Damien Neil dneil@google.com 2024-01-11T19:31:57Z urn:sha1:20586c0dbe03d144f914155f879fa5ee287591a1 When deciding whether to forward cookies or sensitive headers across a redirect, do not attempt to interpret an IPv6 address as a domain name. Avoids a case where a maliciously-crafted redirect to an IPv6 address with a scoped addressing zone could be misinterpreted as a within-domain redirect. For example, we could interpret "::1%.www.example.com" as a subdomain of "www.example.com". Thanks to Juho Nurminen of Mattermost for reporting this issue. Fixes CVE-2023-45289 Fixes #65385 For #65065 Change-Id: I8f463f59f0e700c8a18733d2b264a8bcb3a19599 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2131938 Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Reviewed-by: Roland Shoemaker <bracewell@google.com> Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2173775 Reviewed-by: Carlos Amedee <amedee@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/569239 Reviewed-by: Carlos Amedee <carlos@golang.org> Auto-Submit: Michael Knyszek <mknyszek@google.com> TryBot-Bypass: Michael Knyszek <mknyszek@google.com> 2024-03-05T16:44:27Z Roland Shoemaker bracewell@google.com 2024-01-18T20:51:13Z urn:sha1:be5b52bea674190ef7de272664be6c7ae93ec5a0 alreadyInChain assumes all keys fit a interface which contains the Equal method (which they do), but this ignores that certificates may have a nil key when PublicKeyAlgorithm is UnknownPublicKeyAlgorithm. In this case alreadyInChain panics. Check that the key is non-nil as part of considerCandidate (we are never going to build a chain containing UnknownPublicKeyAlgorithm anyway). For #65390 Fixes #65392 Fixes CVE-2024-24783 Change-Id: Ibdccc0a487e3368b6812be35daad2512220243f3 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2137282 Reviewed-by: Damien Neil <dneil@google.com> Run-TryBot: Roland Shoemaker <bracewell@google.com> Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2173774 Reviewed-by: Roland Shoemaker <bracewell@google.com> Reviewed-by: Carlos Amedee <amedee@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/569238 Auto-Submit: Michael Knyszek <mknyszek@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Carlos Amedee <carlos@golang.org> 2024-02-28T19:53:41Z Roland Shoemaker roland@golang.org 2024-02-15T01:18:36Z urn:sha1:3643147a29352ca2894fd5d0d2069bc4b4335a7e Escape "</script" and "<!--" in errors returned from MarshalJSON errors when attempting to marshal types in script blocks. This prevents any user controlled content from prematurely terminating the script block. Updates #65697 Fixes #65968 Change-Id: Icf0e26c54ea7d9c1deed0bff11b6506c99ddef1b Reviewed-on: https://go-review.googlesource.com/c/go/+/564196 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Damien Neil <dneil@google.com> (cherry picked from commit ccbc725f2d678255df1bd326fa511a492aa3a0aa) Reviewed-on: https://go-review.googlesource.com/c/go/+/567515 Reviewed-by: Carlos Amedee <carlos@golang.org> 2024-02-28T19:46:24Z Bryan C. Mills bcmills@google.com 2023-12-12T21:26:45Z urn:sha1:3a588774a586e281c636465b4353b617e1174a70 Also fix its call site in internal/poll to pass the length of the actual buffer instead of an unrelated variable, and update the definition of FILE_BASIC_INFO to match the documented field types and add padding that is empirically needed on the 386 architecture. Passing a pointer to a Go-allocated buffer as type uintptr violates the unsafe.Pointer conversion rules, which allow such a conversion only in the call expression itself for a call to syscall.Syscall or equivalent. That can allow the buffer to be corrupted arbitrarily if the Go runtime happens to garbage-collect it while the call to SetFileInformationByHandle is in progress. The Microsoft documentation for SetFileInformationByHandle specifies its third argument type as LPVOID, which corresponds to Go's unsafe.Pointer, not uintptr. Fixes #65882. Updates #58933. Change-Id: If577b57adea9922f5fcca55e46030c703d8f035c Cq-Include-Trybots: luci.golang.try:go1.21-windows-amd64-longtest Reviewed-on: https://go-review.googlesource.com/c/go/+/549256 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Than McIntosh <thanm@google.com> Auto-Submit: Bryan Mills <bcmills@google.com> Reviewed-by: Quim Muntal <quimmuntal@gmail.com> Reviewed-by: Alex Brainman <alex.brainman@gmail.com> (cherry picked from commit a7097243e462802f3055da9f843013e450a75092) Reviewed-on: https://go-review.googlesource.com/c/go/+/566155 Reviewed-by: Bryan Mills <bcmills@google.com> 2024-02-28T19:10:06Z Roland Shoemaker bracewell@google.com 2024-01-10T19:02:14Z urn:sha1:263c059b09fdd40d9dd945f2ecb20c89ea28efe5 Fixes a couple of misalignments with RFC 5322 which introduce significant diffs between (mostly) conformant parsers. This change reverts the changes made in CL50911, which allowed certain special RFC 5322 characters to appear unquoted in the "phrase" syntax. It is unclear why this change was made in the first place, and created a divergence from comformant parsers. In particular this resulted in treating comments in display names incorrectly. Additionally properly handle trailing malformed comments in the group syntax. For #65083 Fixes #65848 Change-Id: I00dddc044c6ae3381154e43236632604c390f672 Reviewed-on: https://go-review.googlesource.com/c/go/+/555596 Reviewed-by: Damien Neil <dneil@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/566195 Reviewed-by: Carlos Amedee <carlos@golang.org> 2024-02-28T17:54:30Z Michael Matloob matloob@golang.org 2024-02-20T21:13:33Z urn:sha1:99e44c71f6c3c132cb4025af0d16840be4b29226 This change fixes a bug where we incorrectly filtered out the main modules from the beginning of the build list before verifying them. We made the assumption that the first MainModules.Len() entries of the build list were the main modules, but now it can contain the go and toolchain version entries, so removing the first MainModules.Len() entries could leave main module names in the build list if any of their names sorted after the string 'go'. For #62663 Fixes #65851 Change-Id: I35ab6857a556f58d306303322afe24c48fc8b38f Reviewed-on: https://go-review.googlesource.com/c/go/+/565378 Reviewed-by: Bryan Mills <bcmills@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> (cherry picked from commit 3f60da7944352d7f2d4a04830c0612457643016c) Reviewed-on: https://go-review.googlesource.com/c/go/+/565755 Run-TryBot: Michael Matloob <matloob@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org> 2024-02-27T21:42:04Z Ian Lance Taylor iant@golang.org 2023-09-01T19:52:48Z urn:sha1:6d31b27150cfbd38849d376549b7c05f83c18a85 Also add a check that we didn't leave any core files behind. For #65476. Fixes #65478. Change-Id: I30444ef43ad1a8cc1cacd3b75280f2128e104939 Reviewed-on: https://go-review.googlesource.com/c/go/+/525175 Reviewed-by: Ian Lance Taylor <iant@google.com> Reviewed-by: Keith Randall <khr@google.com> Auto-Submit: Ian Lance Taylor <iant@google.com> Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Keith Randall <khr@golang.org> (cherry picked from commit cffdfe8d2cabbe874bceaeed1eba92cc567be6db) Reviewed-on: https://go-review.googlesource.com/c/go/+/560896 2024-02-16T15:51:02Z Michael Anthony Knyszek mknyszek@google.com 2024-02-08T15:59:07Z urn:sha1:f38fca30a7ea1346c6a7eefeb3253f2eefe8075b Pending a resolution to #65606, this CL marks clang's ASAN runtime as unable to symbolize stack traces to unblock the LUCI clang builder. For #65606. For #65469. Fixes #65640. Change-Id: I649773085aff30e5703e7f7ac2c72a0430a015c2 Cq-Include-Trybots: luci.golang.try:go1.21-linux-amd64-clang15 Reviewed-on: https://go-review.googlesource.com/c/go/+/562675 Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> (cherry picked from commit d94ab597af9b3f8e8ba371023314d80f6b3be5a5) Reviewed-on: https://go-review.googlesource.com/c/go/+/562999