go, branch go1.23.5

[release-branch.go1.23] go1.23.5

2025-01-16T20:07:56Z

Change-Id: I849328cf93adf24c223f103f5b834635970ea652 Reviewed-on: https://go-review.googlesource.com/c/go/+/643137 Reviewed-by: Michael Knyszek Reviewed-by: Michael Pratt Auto-Submit: Gopher Robot LUCI-TryBot-Result: Go LUCI

[release-branch.go1.23] net/http: persist header stripping across repeated redirects

2025-01-16T19:00:39Z

When an HTTP redirect changes the host of a request, we drop sensitive headers such as Authorization from the redirected request. Fix a bug where a chain of redirects could result in sensitive headers being sent to the wrong host: 1. request to a.tld with Authorization header 2. a.tld redirects to b.tld 3. request to b.tld with no Authorization header 4. b.tld redirects to b.tld 3. request to b.tld with Authorization header restored Thanks to Kyle Seely for reporting this issue. For #70530 Fixes ##71211 Fixes CVE-2024-45336 Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1641 Reviewed-by: Roland Shoemaker Reviewed-by: Tatiana Bradley Commit-Queue: Roland Shoemaker Change-Id: I326544358de71ff892d9e9fe338252a5dd04001f Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1764 Reviewed-on: https://go-review.googlesource.com/c/go/+/643104 Auto-Submit: Michael Knyszek LUCI-TryBot-Result: Go LUCI Reviewed-by: Michael Pratt

[release-branch.go1.23] crypto/x509: properly check for IPv6 hosts in URIs

2025-01-16T19:00:37Z

When checking URI constraints, use netip.ParseAddr, which understands zones, unlike net.ParseIP which chokes on them. This prevents zone IDs from mistakenly satisfying URI constraints. Thanks to Juho Forsén of Mattermost for reporting this issue. For #71156 Fixes #71208 Fixes CVE-2024-45341 Change-Id: Iecac2529f3605382d257996e0fb6d6983547e400 Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1700 Reviewed-by: Tatiana Bradley Reviewed-by: Damien Neil (cherry picked from commit 22ca55d396ba801e6ae9b2bd67a059fcb30562fd) Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1762 Reviewed-by: Roland Shoemaker Reviewed-on: https://go-review.googlesource.com/c/go/+/643103 LUCI-TryBot-Result: Go LUCI Auto-Submit: Michael Knyszek Reviewed-by: Michael Pratt

[release-branch.go1.23] runtime: hold traceAcquire across casgstatus in injectglist

2025-01-08T18:02:57Z

Currently injectglist emits all the trace events before actually calling casgstatus on each goroutine. This is a problem, since tracing can observe an inconsistent state (gstatus does not match tracer's 'emitted an event' state). This change fixes the problem by having injectglist do what every other scheduler function does, and that's wrap each call to casgstatus in traceAcquire/traceRelease. For #70883. Fixes #71147. Change-Id: I857e96cec01688013597e8efc0c4c3d0b72d3a70 Reviewed-on: https://go-review.googlesource.com/c/go/+/638558 Reviewed-by: Michael Pratt LUCI-TryBot-Result: Go LUCI (cherry picked from commit f025d19e7b3f0c66242760c213cc2b54cb100f69) Reviewed-on: https://go-review.googlesource.com/c/go/+/641378 Auto-Submit: Michael Pratt

[release-branch.go1.23] crypto/tls: fix Config.Time in tests using expired certificates

2025-01-08T17:33:16Z

Updates #71077 Fixes #71104 Change-Id: I6a6a465685f3bd50a5bb35a160f87b59b74fa6af Reviewed-on: https://go-review.googlesource.com/c/go/+/639655 Auto-Submit: Ian Lance Taylor Reviewed-by: Damien Neil LUCI-TryBot-Result: Go LUCI Auto-Submit: Filippo Valsorda Auto-Submit: Damien Neil Reviewed-by: Joel Sing Reviewed-by: Ian Lance Taylor Reviewed-on: https://go-review.googlesource.com/c/go/+/640315 Reviewed-by: Filippo Valsorda

[release-branch.go1.23] net: don't use sendfile for irregular files; handle EOPNOTSUPP/ENOTSUP

2024-12-18T17:42:15Z

This is not a cherry pick, because the code has changed on tip. For #70763 Fixes #70789 Change-Id: If9fcfee17e86a746cf8c72293dc34f80b430f6e6 Reviewed-on: https://go-review.googlesource.com/c/go/+/635397 Auto-Submit: Ian Lance Taylor Reviewed-by: Dmitri Shuralyov Reviewed-by: Damien Neil LUCI-TryBot-Result: Go LUCI

[release-branch.go1.23] runtime: update and restore g0 stack bounds at cgocallback

2024-12-13T19:18:11Z

Currently, at a cgo callback where there is already a Go frame on the stack (i.e. C->Go->C->Go), we require that at the inner Go callback the SP is within the g0's stack bounds set by a previous callback. This is to prevent that the C code switches stack while having a Go frame on the stack, which we don't really support. But this could also happen when we cannot get accurate stack bounds, e.g. when pthread_getattr_np is not available. Since the stack bounds are just estimates based on the current SP, if there are multiple C->Go callbacks with various stack depth, it is possible that the SP of a later callback falls out of a previous call's estimate. This leads to runtime throw in a seemingly reasonable program. This CL changes it to save the old g0 stack bounds at cgocallback, update the bounds, and restore the old bounds at return. So each callback will get its own stack bounds based on the current SP, and when it returns, the outer callback has the its old stack bounds restored. Also, at a cgo callback when there is no Go frame on the stack, we currently always get new stack bounds. We do this because if we can only get estimated bounds based on the SP, and the stack depth varies a lot between two C->Go calls, the previous estimates may be off and we fall out or nearly fall out of the previous bounds. But this causes a performance problem: the pthread API to get accurate stack bounds (pthread_getattr_np) is very slow when called on the main thread. Getting the stack bounds every time significantly slows down repeated C->Go calls on the main thread. This CL fixes it by "caching" the stack bounds if they are accurate. I.e. at the second time Go calls into C, if the previous stack bounds are accurate, and the current SP is in bounds, we can be sure it is the same stack and we don't need to update the bounds. This avoids the repeated calls to pthread_getattr_np. If we cannot get the accurate bounds, we continue to update the stack bounds based on the SP, and that operation is very cheap. On a Linux/AMD64 machine with glibc: name old time/op new time/op delta CgoCallbackMainThread-8 96.4µs ± 3% 0.1µs ± 2% -99.92% (p=0.000 n=10+9) Updates #68285. Updates #68587. Fixes #69988. Change-Id: I3422badd5ad8ff63e1a733152d05fb7a44d5d435 Reviewed-on: https://go-review.googlesource.com/c/go/+/600296 LUCI-TryBot-Result: Go LUCI Reviewed-by: Michael Pratt (cherry picked from commit 76a8409eb81eda553363783dcdd9d6224368ae0e) Reviewed-on: https://go-review.googlesource.com/c/go/+/635775

[release-branch.go1.23] cmd/compile/internal/importer: enable aliases

2024-12-11T19:17:27Z

Flips the pkgReader.enableAlias flag to true when reading unified IR. This was disabled while resolving #66873. This resolves the TODO to flip it back to true. Fixes #70394 Fixes #70517 Updates #66873 Change-Id: Ifd52b0f9510d6bcf151de1c9a18d71ab548c14e4 Reviewed-on: https://go-review.googlesource.com/c/go/+/604099 LUCI-TryBot-Result: Go LUCI Reviewed-by: David Chase (cherry picked from commit 209ed1a9c75d17046285c416b74a14bb89799757) Reviewed-on: https://go-review.googlesource.com/c/go/+/631855 Commit-Queue: Tim King Reviewed-by: Robert Griesemer

[release-branch.go1.23] go1.23.4

2024-12-03T18:27:46Z

Change-Id: I8d26e5231e868476949390ec900f0273c816d807 Reviewed-on: https://go-review.googlesource.com/c/go/+/633217 Reviewed-by: Veronica Silina Auto-Submit: Gopher Robot LUCI-TryBot-Result: Go LUCI Reviewed-by: Michael Knyszek

[release-branch.go1.23] cmd/trace: also show end stack traces

2024-11-27T20:24:20Z

Fix a regression that appeared in 1.23 when it comes to the stack traces shown in the trace viewer. In 1.22 and earlier, the viewer was always showing end stack traces. In 1.23 and later the viewer started to exclusively show start stack traces. Showing only the start stack traces made it impossible to see the last stack trace produced by a goroutine. It also made it hard to understand why a goroutine went off-cpu, as one had to hunt down the next running slice of the same goroutine. Emit end stack traces in addition to start stack traces to fix the issue. Fixes #70592 Change-Id: Ib22ea61388c1d94cdbc99fae2d207c4dce011a59 Reviewed-on: https://go-review.googlesource.com/c/go/+/631895 LUCI-TryBot-Result: Go LUCI Reviewed-by: Michael Pratt Auto-Submit: Felix Geisendörfer Reviewed-by: Nick Ripley Reviewed-by: Michael Knyszek (cherry picked from commit 6405e60ca6be798c1f8c1d0365fd63b89b524df5) Reviewed-on: https://go-review.googlesource.com/c/go/+/632075 Reviewed-by: Veronica Silina Auto-Submit: Veronica Silina