go, branch go1.25.8

[release-branch.go1.25] go1.25.8

2026-03-06T00:26:43Z

Change-Id: Ibbe87e0b8afcff83ecbf8fc441a2fd4823c999fa Reviewed-on: https://go-review.googlesource.com/c/go/+/752122 TryBot-Bypass: Gopher Robot Reviewed-by: Cherry Mui Reviewed-by: Dmitri Shuralyov Reviewed-by: Jakub Ciolek Auto-Submit: Gopher Robot

[release-branch.go1.25] html/template: properly escape URLs in meta content attributes

2026-03-06T00:15:29Z

The meta tag can include a content attribute that contains URLs, which we currently don't escape if they are inserted via a template action. This can plausibly lead to XSS vulnerabilities if untrusted data is inserted there, the http-equiv attribute is set to "refresh", and the content attribute contains an action like `url={{.}}`. Track whether we are inside of a meta element, if we are inside of a content attribute, _and_ if the content attribute contains "url=". If all of those are true, then we will apply the same URL escaping that we use elsewhere. Also add a new GODEBUG, htmlmetacontenturlescape, to allow disabling this escaping for cases where this behavior is considered safe. The behavior can be disabled by setting htmlmetacontenturlescape=0. Updates #77954 Fixes #77971 Fixes CVE-2026-27142 Change-Id: I9bbca263be9894688e6ef1e9a8f8d2f4304f5873 Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3360 Reviewed-by: Neal Patel Reviewed-by: Nicholas Husin Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3644 Reviewed-by: Damien Neil Commit-Queue: Roland Shoemaker Reviewed-on: https://go-review.googlesource.com/c/go/+/752101 Auto-Submit: Gopher Robot TryBot-Bypass: Gopher Robot Reviewed-by: Dmitri Shuralyov Reviewed-by: Cherry Mui

[release-branch.go1.25] net/url: reject IPv6 literal not at start of host

2026-03-06T00:15:25Z

This change rejects IPv6 literals that do not appear at the start of the host subcomponent of a URL. For example: http://example.com[::1] -> rejects http://[::1] -> accepts Thanks to Masaki Hara (https://github.com/qnighy) of Wantedly. Updates #77578 Fixes #77969 Fixes CVE-2026-25679 Change-Id: I7109031880758f7c1eb4eca513323328feace33c Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3400 Reviewed-by: Neal Patel Reviewed-by: Roland Shoemaker Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3642 Reviewed-on: https://go-review.googlesource.com/c/go/+/752100 Reviewed-by: Cherry Mui Auto-Submit: Gopher Robot TryBot-Bypass: Gopher Robot Reviewed-by: Dmitri Shuralyov

[release-branch.go1.25] os: avoid escape from Root via ReadDir or Readdir

2026-02-27T21:46:29Z

When reading the contents of a directory using File.ReadDir or File.Readdir, the os.FileInfo was populated on Unix platforms using lstat. This lstat call is vulnerable to a TOCTOU race and could escape the root. For example: - Open the directory "dir" within a Root. This directory contains a file named "file". - Use File.ReadDir to list the contents of "dir", receiving a os.DirEntry for "dir/file". - Replace "dir" with a symlink to "/etc". - Use DirEntry.Info to retrieve the FileInfo for "dir/file". This FileInfo contains information on "/etc/file" instead. This escape permits identifying the presence or absence of files outside a Root, as well as retreiving stat metadata (size, mode, modification time, etc.) for files outside a Root. This escape does not permit reading or writing to files outside a Root. For #77827 Fixes #77833 Fixes CVE-2026-27139 Change-Id: I40004f830c588e516aff8ee593d630d36a6a6964 Reviewed-on: https://go-review.googlesource.com/c/go/+/749480 LUCI-TryBot-Result: Go LUCI Reviewed-by: Nicholas Husin Reviewed-by: Nicholas Husin Auto-Submit: Damien Neil (cherry picked from commit 657ed934e85dc575aad51356c4b437961e7c1313) Reviewed-on: https://go-review.googlesource.com/c/go/+/749920

[release-branch.go1.25] internal/syscall/windows: correct some enums and syscall signatures

2026-02-26T17:26:25Z

This CL corrects code submitted in CL 741040. Fixes #77406 Change-Id: I1c22c1a9f77028f3c2a8e3905f2ec5b071b5445e GitHub-Last-Rev: 2bfb07310b4707484b5bdce96ad367db567741c4 GitHub-Pull-Request: golang/go#77525 Reviewed-on: https://go-review.googlesource.com/c/go/+/743780 Reviewed-by: Junyang Shao Reviewed-by: Alex Brainman LUCI-TryBot-Result: Go LUCI Reviewed-by: Mark Freeman Reviewed-on: https://go-review.googlesource.com/c/go/+/749440 Reviewed-by: David Chase Auto-Submit: Mark Freeman

[release-branch.go1.25] os: support deleting inaccessible files in RemoveAll

2026-02-26T15:38:24Z

windows: retry file open with DELETE access after access denied Additional access rights when opening files, including SYNCHRONIZE, break deletion when the caller has FILE_DELETE_CHILD on the parent directory but not the file. Retry with DELETE only restores correct Windows semantics. For #77406 Change-Id: Ie53bc6f1673de1a8af4dcfb7496daf99e71098cb GitHub-Last-Rev: 0ad635cf1a13c0242e3b1922cf47a8c594dd7215 GitHub-Pull-Request: golang/go#77403 Reviewed-on: https://go-review.googlesource.com/c/go/+/741040 Reviewed-by: Quim Muntal LUCI-TryBot-Result: Go LUCI Reviewed-by: Michael Pratt Auto-Submit: Michael Pratt Reviewed-by: Michael Knyszek Reviewed-on: https://go-review.googlesource.com/c/go/+/746361 Auto-Submit: Mark Freeman Reviewed-by: Dmitri Shuralyov

[release-branch.go1.25] all: update x/sys

2026-02-25T23:51:44Z

For #77406 Change-Id: Id15681ea136469fa3b53d163363dec0c6b0893ae Reviewed-on: https://go-review.googlesource.com/c/go/+/749162 LUCI-TryBot-Result: Go LUCI Reviewed-by: Dmitri Shuralyov Reviewed-by: Dmitri Shuralyov Auto-Submit: Mark Freeman Reviewed-by: Mark Freeman

[release-branch.go1.25] runtime: don't negate eventfd errno

2026-02-25T21:57:57Z

The Linux syscall package does this for us. For #75337. Fixes #77413. Change-Id: I6a6a636c9bb5fe25fdc6f80dc8b538ebed60d00b Reviewed-on: https://go-review.googlesource.com/c/go/+/701796 Reviewed-by: Michael Knyszek LUCI-TryBot-Result: Go LUCI Auto-Submit: Michael Pratt (cherry picked from commit d3be949ada01d7827f8edc87665fef5268634cb3) Reviewed-on: https://go-review.googlesource.com/c/go/+/741223 Reviewed-by: Michael Pratt Reviewed-by: David Chase Reviewed-by: Florian Lehner

[release-branch.go1.25] net/smtp: prevent test failures due to expired test certificate

2026-02-25T21:16:46Z

The current localhostCert used for testing seems to have its expiry date mistakenly set to Mar 18 19:27:54 2026 GMT. To prevent test failures, use fixed time in tests. Also, regenerate the certificate so we can fix the time to UNIX epoch (the current certificate is only valid after Mar 18 2025). Fixes #77531 Change-Id: I3136d29eaa0c8c4361f5627003f08a0059702f0d Reviewed-on: https://go-review.googlesource.com/c/go/+/744260 Reviewed-by: David Chase Reviewed-by: Roland Shoemaker Reviewed-by: Nicholas Husin LUCI-TryBot-Result: Go LUCI (cherry picked from commit 215a070a049ce449480ca6948e7fafdeb7b16920) Reviewed-on: https://go-review.googlesource.com/c/go/+/748280

[release-branch.go1.25] cmd/go: fix pkg-config flag sanitization

2026-02-25T20:43:24Z

Implement a new pkg-config safe flag list (containing everything except for --log-file) and use that when checking flags passed to pkg-config, instead of using checkCompilerFlags. Updates #77387 Fixes #77438 Change-Id: Id6141d0a2934053aa43e3aa8ce402bd499c4c028 Reviewed-on: https://go-review.googlesource.com/c/go/+/741042 LUCI-TryBot-Result: Go LUCI Reviewed-by: Michael Pratt Auto-Submit: Roland Shoemaker Reviewed-by: Ian Lance Taylor (cherry picked from commit 28fbdf7acb4146b5bc3d88128e407d1344691839) Reviewed-on: https://go-review.googlesource.com/c/go/+/745481 Reviewed-by: David Chase