Fork of Go programming language with my patches. http://git.kilabit.info/go/atom?h=go1.22.11 2025-01-16T20:07:58Z 2025-01-16T20:07:58Z Gopher Robot gobot@golang.org 2025-01-16T19:41:48Z urn:sha1:f07288435495dccb05217b6012ecb2b7a5b521ab Change-Id: I7ab7e0219977de1fc313a684c48b78fd0219de81 Reviewed-on: https://go-review.googlesource.com/c/go/+/643156 Reviewed-by: Michael Pratt <mpratt@google.com> Reviewed-by: Michael Knyszek <mknyszek@google.com> Auto-Submit: Gopher Robot <gobot@golang.org> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> 2025-01-16T19:07:07Z Damien Neil dneil@google.com 2024-11-22T20:34:11Z urn:sha1:b72d56f98d6620ebe07626dca4bb67ea8e185379 When an HTTP redirect changes the host of a request, we drop sensitive headers such as Authorization from the redirected request. Fix a bug where a chain of redirects could result in sensitive headers being sent to the wrong host: 1. request to a.tld with Authorization header 2. a.tld redirects to b.tld 3. request to b.tld with no Authorization header 4. b.tld redirects to b.tld 3. request to b.tld with Authorization header restored Thanks to Kyle Seely for reporting this issue. Fixes #70530 For #71210 Fixes CVE-2024-45336 Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1641 Reviewed-by: Roland Shoemaker <bracewell@google.com> Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Commit-Queue: Roland Shoemaker <bracewell@google.com> Change-Id: Id7b1e3c90345566b8ee1a51f65dbb179da6eb427 Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1765 Reviewed-on: https://go-review.googlesource.com/c/go/+/643106 Reviewed-by: Michael Pratt <mpratt@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Auto-Submit: Michael Knyszek <mknyszek@google.com> 2025-01-16T19:07:05Z Roland Shoemaker bracewell@google.com 2024-12-09T19:31:22Z urn:sha1:19d21034157ba69d0f54318a9867d9b08730efcb When checking URI constraints, use netip.ParseAddr, which understands zones, unlike net.ParseIP which chokes on them. This prevents zone IDs from mistakenly satisfying URI constraints. Thanks to Juho Forsén of Mattermost for reporting this issue. For #71156 Fixes #71207 Fixes CVE-2024-45341 Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1700 Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Reviewed-by: Damien Neil <dneil@google.com> Change-Id: I1d97723e0f29fcf1404fb868ba0495282da70f6e Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1780 Reviewed-by: Roland Shoemaker <bracewell@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/643105 TryBot-Bypass: Michael Knyszek <mknyszek@google.com> Reviewed-by: Michael Pratt <mpratt@google.com> Auto-Submit: Michael Knyszek <mknyszek@google.com> 2025-01-08T17:58:22Z Michael Anthony Knyszek mknyszek@google.com 2024-12-23T17:21:07Z urn:sha1:ae9996f96510b105f478a426cd83cfac7b83c4e3 Currently injectglist emits all the trace events before actually calling casgstatus on each goroutine. This is a problem, since tracing can observe an inconsistent state (gstatus does not match tracer's 'emitted an event' state). This change fixes the problem by having injectglist do what every other scheduler function does, and that's wrap each call to casgstatus in traceAcquire/traceRelease. For #70883. Fixes #71146. Change-Id: I857e96cec01688013597e8efc0c4c3d0b72d3a70 Reviewed-on: https://go-review.googlesource.com/c/go/+/638558 Reviewed-by: Michael Pratt <mpratt@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> (cherry picked from commit f025d19e7b3f0c66242760c213cc2b54cb100f69) Reviewed-on: https://go-review.googlesource.com/c/go/+/641356 Auto-Submit: Michael Pratt <mpratt@google.com> 2025-01-08T17:33:51Z Filippo Valsorda filippo@golang.org 2025-01-02T00:34:40Z urn:sha1:223260bc63bfc1a3120face5bbc49285f6c32357 Updates #71077 Fixes #71103 Change-Id: I6a6a465685f3bd50a5bb35a160f87b59b74fa6af Reviewed-on: https://go-review.googlesource.com/c/go/+/639655 Auto-Submit: Ian Lance Taylor <iant@google.com> Reviewed-by: Damien Neil <dneil@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Auto-Submit: Filippo Valsorda <filippo@golang.org> Auto-Submit: Damien Neil <dneil@google.com> Reviewed-by: Joel Sing <joel@sing.id.au> Reviewed-by: Ian Lance Taylor <iant@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/640237 2024-12-03T18:00:04Z Gopher Robot gobot@golang.org 2024-12-03T17:22:36Z urn:sha1:8f3f22eef807250155301822a8960afec160cc02 Change-Id: I5e9be77389bcb215c114013c169841cfbcaa9550 Reviewed-on: https://go-review.googlesource.com/c/go/+/633235 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Reviewed-by: Veronica Silina <veronicasilina@google.com> Auto-Submit: Gopher Robot <gobot@golang.org> Reviewed-by: Michael Knyszek <mknyszek@google.com> 2024-11-27T19:14:30Z Russ Cox rsc@golang.org 2024-11-12T22:23:12Z urn:sha1:6d7a95abcac5192f539c34ea96b3b3de6b933b87 The failures in #70288 are consistent with and strongly imply stack corruption during fault handling, and debug prints show that the Go code run during fault handling is running about 300 bytes above the bottom of the goroutine stack. That should be okay, but that implies the DLL code that called Go's handler was running near the bottom of the stack too, and maybe it called other deeper things before or after the Go handler and smashed the stack that way. stackSystem is already 4096 bytes on amd64; making it match that on 386 makes the flaky failures go away. It's a little unsatisfying not to be able to say exactly what is overflowing the stack, but the circumstantial evidence is very strong that it's Windows. For #70288. Fixes #70474. Change-Id: Ife89385873d5e5062a71629dbfee40825edefa49 Reviewed-on: https://go-review.googlesource.com/c/go/+/627375 Reviewed-by: Ian Lance Taylor <iant@google.com> Auto-Submit: Russ Cox <rsc@golang.org> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> (cherry picked from commit 7eeb0a188eb644486da9f77bae0375d91433d0bf) Reviewed-on: https://go-review.googlesource.com/c/go/+/632197 Reviewed-by: Cherry Mui <cherryyz@google.com> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Auto-Submit: Veronica Silina <veronicasilina@google.com> 2024-11-20T18:07:06Z qmuntal quimmuntal@gmail.com 2024-11-05T15:01:45Z urn:sha1:6f05fa7a4f632fee7fadada8d31cf8755c709610 syscall.SyscallN is implemented by runtime.syscall_syscalln, which makes sure that the variadic argument doesn't escape. There is no need to worry about the lifetime of the elements of the variadic argument, as the compiler will keep them live until the function returns. For #70197 Fixes #70201 Change-Id: I12991f0be12062eea68f2b103fa0a794c1b527eb Reviewed-on: https://go-review.googlesource.com/c/go/+/625297 Reviewed-by: Ian Lance Taylor <iant@google.com> Reviewed-by: Alex Brainman <alex.brainman@gmail.com> Reviewed-by: David Chase <drchase@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> (cherry picked from commit 7fff741016c8157e107cce8013ee3ca621725384) Reviewed-on: https://go-review.googlesource.com/c/go/+/630215 Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org> Reviewed-by: Quim Muntal <quimmuntal@gmail.com> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Auto-Submit: Ian Lance Taylor <iant@google.com> 2024-11-19T18:02:54Z Dmitri Shuralyov dmitshur@golang.org 2024-11-04T22:36:26Z urn:sha1:3355db96902ebc2403e08de9ced8a495f29ec870 This stops the test from failing with a known failure mode, and creates time to look into what the next steps should be, if any. For #69840. Fixes #70238. Change-Id: I060903d256ed65c5dfcd70ae76eb361cab63186f Reviewed-on: https://go-review.googlesource.com/c/go/+/625197 Auto-Submit: Dmitri Shuralyov <dmitshur@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Ian Lance Taylor <iant@google.com> Reviewed-by: Eric Grosse <grosse@gmail.com> (cherry picked from commit bea9b91f0f4be730c880edbe496ab25c9b742cad) Reviewed-on: https://go-review.googlesource.com/c/go/+/627416 Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org> Commit-Queue: Ian Lance Taylor <iant@google.com> Auto-Submit: Ian Lance Taylor <iant@google.com> 2024-11-06T22:47:22Z Gopher Robot gobot@golang.org 2024-11-06T22:21:19Z urn:sha1:8af39d30a4c4cf68d566345f26224c191960d9b0 Change-Id: I3255f216bc6976f9b5a1b1fc4f654caa2d2bc342 Reviewed-on: https://go-review.googlesource.com/c/go/+/626136 Auto-Submit: Gopher Robot <gobot@golang.org> Reviewed-by: Carlos Amedee <carlos@golang.org> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: David Chase <drchase@google.com>