Fork of Go programming language with my patches. http://git.kilabit.info/go/atom?h=go1.23.6 2025-02-04T16:39:47Z 2025-02-04T16:39:47Z Gopher Robot gobot@golang.org 2025-02-04T16:13:44Z urn:sha1:a991f9c34d454d3d844f21dc08f2d05df35a8c60 Change-Id: Iec54508cfd791299630ae4b784667cd2643c4c15 Reviewed-on: https://go-review.googlesource.com/c/go/+/646221 Reviewed-by: Carlos Amedee <carlos@golang.org> Reviewed-by: Cherry Mui <cherryyz@google.com> Auto-Submit: Gopher Robot <gobot@golang.org> TryBot-Bypass: Cherry Mui <cherryyz@google.com> 2025-01-31T17:38:23Z Roland Shoemaker roland@golang.org 2025-01-22T00:03:14Z urn:sha1:6644ed63b1e6ccc129647ef6b0d4647fdbe14056 Remove the branching instruction from p256NegCond which made it variable time. The technique used matches that used in p256MovCond. Fixes #71383 Fixes #71423 Fixes CVE-2025-22866 Change-Id: Ibc2a46814d856cbbdaf6cc0c5a415ed5d42ca793 Reviewed-on: https://go-review.googlesource.com/c/go/+/643735 Reviewed-by: David Chase <drchase@google.com> Reviewed-by: Filippo Valsorda <filippo@golang.org> Reviewed-by: Paul Murphy <murp@ibm.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> (cherry picked from commit 6fc23a3cff5e38ff72923fee50f51254dcdc6e93) Reviewed-on: https://go-review.googlesource.com/c/go/+/645515 Reviewed-by: Carlos Amedee <carlos@golang.org> 2025-01-17T16:30:53Z Russ Cox rsc@golang.org 2025-01-14T04:00:14Z urn:sha1:ab44565bcd9ad975b87ffd78c36c1fae1644d0bf Newer git versions (at least git 2.47.1) do not send all the matching tags for a shallow fetch of a specific hash anymore. The go command assumes that git servers do this. Since that assumption is broken, use the local copy of the remote refs list to augment the tags sent by the server. This makes the cmd/go/internal/modfetch tests pass again with newer git. For #71261 Fixes #71263 Change-Id: I9fd4f3fd7beeb68a522938599f8f3acd887d0b26 Reviewed-on: https://go-review.googlesource.com/c/go/+/642437 Reviewed-by: Michael Matloob <matloob@golang.org> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Auto-Submit: Russ Cox <rsc@golang.org> (cherry picked from commit bd80d8956f3062d2b2bff2d7da6b879dfa909f12) Reviewed-on: https://go-review.googlesource.com/c/go/+/642696 Reviewed-by: Michael Knyszek <mknyszek@google.com> Reviewed-by: Russ Cox <rsc@golang.org> 2025-01-17T15:41:09Z Keith Randall khr@golang.org 2025-01-11T01:33:26Z urn:sha1:9cbbf5e0f4fe5231a5ad425638800618839de0a5 We can't coalesce a non-WB store with a subsequent Move, as the result of the store might be the source of the move. There's a simple codegen test. Not sure how we might do a real test, as all the repro's I've come up with are very expensive and unreliable. Fixes #71230 Change-Id: If18bf181a266b9b90964e2591cd2e61a7168371c Reviewed-on: https://go-review.googlesource.com/c/go/+/642197 Reviewed-by: Keith Randall <khr@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: David Chase <drchase@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/642498 2025-01-16T20:07:56Z Gopher Robot gobot@golang.org 2025-01-16T19:41:53Z urn:sha1:d04e3cbc9240e25de449dcae2ec33d03062f347b Change-Id: I849328cf93adf24c223f103f5b834635970ea652 Reviewed-on: https://go-review.googlesource.com/c/go/+/643137 Reviewed-by: Michael Knyszek <mknyszek@google.com> Reviewed-by: Michael Pratt <mpratt@google.com> Auto-Submit: Gopher Robot <gobot@golang.org> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> 2025-01-16T19:00:39Z Damien Neil dneil@google.com 2024-11-22T20:34:11Z urn:sha1:bb8230f80535945648e8b56739ad450cf433eba9 When an HTTP redirect changes the host of a request, we drop sensitive headers such as Authorization from the redirected request. Fix a bug where a chain of redirects could result in sensitive headers being sent to the wrong host: 1. request to a.tld with Authorization header 2. a.tld redirects to b.tld 3. request to b.tld with no Authorization header 4. b.tld redirects to b.tld 3. request to b.tld with Authorization header restored Thanks to Kyle Seely for reporting this issue. For #70530 Fixes ##71211 Fixes CVE-2024-45336 Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1641 Reviewed-by: Roland Shoemaker <bracewell@google.com> Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Commit-Queue: Roland Shoemaker <bracewell@google.com> Change-Id: I326544358de71ff892d9e9fe338252a5dd04001f Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1764 Reviewed-on: https://go-review.googlesource.com/c/go/+/643104 Auto-Submit: Michael Knyszek <mknyszek@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Michael Pratt <mpratt@google.com> 2025-01-16T19:00:37Z Roland Shoemaker bracewell@google.com 2024-12-09T19:31:22Z urn:sha1:fdb8413fe588ec6dc31f1deaf43eb7202a76bb79 When checking URI constraints, use netip.ParseAddr, which understands zones, unlike net.ParseIP which chokes on them. This prevents zone IDs from mistakenly satisfying URI constraints. Thanks to Juho Forsén of Mattermost for reporting this issue. For #71156 Fixes #71208 Fixes CVE-2024-45341 Change-Id: Iecac2529f3605382d257996e0fb6d6983547e400 Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1700 Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Reviewed-by: Damien Neil <dneil@google.com> (cherry picked from commit 22ca55d396ba801e6ae9b2bd67a059fcb30562fd) Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1762 Reviewed-by: Roland Shoemaker <bracewell@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/643103 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Auto-Submit: Michael Knyszek <mknyszek@google.com> Reviewed-by: Michael Pratt <mpratt@google.com> 2025-01-08T18:02:57Z Michael Anthony Knyszek mknyszek@google.com 2024-12-23T17:21:07Z urn:sha1:1dde0b484489653136a54df9932cc8d1c0fb6d1b Currently injectglist emits all the trace events before actually calling casgstatus on each goroutine. This is a problem, since tracing can observe an inconsistent state (gstatus does not match tracer's 'emitted an event' state). This change fixes the problem by having injectglist do what every other scheduler function does, and that's wrap each call to casgstatus in traceAcquire/traceRelease. For #70883. Fixes #71147. Change-Id: I857e96cec01688013597e8efc0c4c3d0b72d3a70 Reviewed-on: https://go-review.googlesource.com/c/go/+/638558 Reviewed-by: Michael Pratt <mpratt@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> (cherry picked from commit f025d19e7b3f0c66242760c213cc2b54cb100f69) Reviewed-on: https://go-review.googlesource.com/c/go/+/641378 Auto-Submit: Michael Pratt <mpratt@google.com> 2025-01-08T17:33:16Z Filippo Valsorda filippo@golang.org 2025-01-02T00:34:40Z urn:sha1:3417000c69bc89c173cfafcf3f2a06a408b32880 Updates #71077 Fixes #71104 Change-Id: I6a6a465685f3bd50a5bb35a160f87b59b74fa6af Reviewed-on: https://go-review.googlesource.com/c/go/+/639655 Auto-Submit: Ian Lance Taylor <iant@google.com> Reviewed-by: Damien Neil <dneil@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Auto-Submit: Filippo Valsorda <filippo@golang.org> Auto-Submit: Damien Neil <dneil@google.com> Reviewed-by: Joel Sing <joel@sing.id.au> Reviewed-by: Ian Lance Taylor <iant@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/640315 Reviewed-by: Filippo Valsorda <filippo@golang.org> 2024-12-18T17:42:15Z Ian Lance Taylor iant@golang.org 2024-12-11T22:18:42Z urn:sha1:1576793c513c5cd8396d1a5b004b546e82efc033 This is not a cherry pick, because the code has changed on tip. For #70763 Fixes #70789 Change-Id: If9fcfee17e86a746cf8c72293dc34f80b430f6e6 Reviewed-on: https://go-review.googlesource.com/c/go/+/635397 Auto-Submit: Ian Lance Taylor <iant@google.com> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Reviewed-by: Damien Neil <dneil@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>