Fork of Go programming language with my patches. http://git.kilabit.info/go/atom?h=go1.26.1 2026-03-06T00:26:39Z 2026-03-06T00:26:39Z Gopher Robot gobot@golang.org 2026-03-06T00:19:54Z urn:sha1:e87b10ea2a2c6c65b80c4374af42b9c02ac9fb20 Change-Id: Ia2366ca54412a0e31c3838f71f302e2e7f26260e Reviewed-on: https://go-review.googlesource.com/c/go/+/752121 Auto-Submit: Gopher Robot <gobot@golang.org> Reviewed-by: Jakub Ciolek <jakub@ciolek.dev> TryBot-Bypass: Gopher Robot <gobot@golang.org> Reviewed-by: Cherry Mui <cherryyz@google.com> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> 2026-03-06T00:12:58Z Roland Shoemaker bracewell@google.com 2026-02-11T22:49:13Z urn:sha1:e792d6aa952dbfdd3e8eac6f7abc3efd9df09030 Apparently we allow empty dNSName SANs (e.g. a domain name of ""), which causes the excluded domain name wildcard checking to panic, because we assume names are always non-empty. RFC 5280 appears to say the empty string should not be accepted, although confusingly refers to this as " " (a single space). We should probably not allow that when creating certificates, and possibly when creating them as well (1.27 I guess). Thanks to Jakub Ciolek for reporting this issue. Updates #77953 Fixes #77974 Fixes CVE-2026-27138 Change-Id: I4fb213a5450470969a7436cba09b71fd1755a6af Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3420 Reviewed-by: Neal Patel <nealpatel@google.com> Reviewed-by: Nicholas Husin <husin@google.com> Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3621 Reviewed-by: Damien Neil <dneil@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/752083 Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> TryBot-Bypass: Gopher Robot <gobot@golang.org> Auto-Submit: Gopher Robot <gobot@golang.org> Reviewed-by: Cherry Mui <cherryyz@google.com> 2026-03-06T00:12:54Z Roland Shoemaker bracewell@google.com 2026-02-11T23:16:38Z urn:sha1:a761c9ff70fec8e1089897eebd104a8f31cff2d3 For full email addresses (local@domain), we stored a map between the case sensitive local portion to the case insensitive domain portion, and used that to check if a email SAN matched the constraint. This could be abused, because it was a map[string]string, meaning if any two constraints had the same local portion but different domains, the second would overwrite the first. Change the map from map[string]string to map[rfc2821Mailbox]struct{}, where the domain portion of the mailbox is lowercased. When checking for a match we then check the parsed mailbox against the map, lowercasing the domain portion of the query when we initially parse the address. This gives us the same functionality as before, but without the possibility of one constraint overwriting another. Thanks to Jakub Ciolek for reporting this issue. Updates #77952 Fixes #77973 Fixes CVE-2026-27137 Change-Id: Ia405209be6f3b87cf4ac220a645467418dc41805 Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3440 Reviewed-by: Neal Patel <nealpatel@google.com> Reviewed-by: Nicholas Husin <husin@google.com> Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3620 Reviewed-by: Damien Neil <dneil@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/752082 TryBot-Bypass: Gopher Robot <gobot@golang.org> Auto-Submit: Gopher Robot <gobot@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Reviewed-by: Cherry Mui <cherryyz@google.com> 2026-03-06T00:12:49Z Roland Shoemaker bracewell@google.com 2026-01-09T19:12:01Z urn:sha1:994692847a2cd3efd319f0cb61a07c0012c8a4ff The meta tag can include a content attribute that contains URLs, which we currently don't escape if they are inserted via a template action. This can plausibly lead to XSS vulnerabilities if untrusted data is inserted there, the http-equiv attribute is set to "refresh", and the content attribute contains an action like `url={{.}}`. Track whether we are inside of a meta element, if we are inside of a content attribute, _and_ if the content attribute contains "url=". If all of those are true, then we will apply the same URL escaping that we use elsewhere. Also add a new GODEBUG, htmlmetacontenturlescape, to allow disabling this escaping for cases where this behavior is considered safe. The behavior can be disabled by setting htmlmetacontenturlescape=0. Updates #77954 Fixes #77972 Fixes CVE-2026-27142 Change-Id: I9bbca263be9894688e6ef1e9a8f8d2f4304f5873 Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3360 Reviewed-by: Neal Patel <nealpatel@google.com> Reviewed-by: Nicholas Husin <husin@google.com> Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3643 Reviewed-by: Damien Neil <dneil@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/752081 Auto-Submit: Gopher Robot <gobot@golang.org> Reviewed-by: Cherry Mui <cherryyz@google.com> TryBot-Bypass: Gopher Robot <gobot@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> 2026-03-06T00:12:45Z Ian Alexander jitsu@google.com 2026-01-28T20:29:52Z urn:sha1:65c7d7a9fb3a9d1fbf1e702a211b8cc3a7bedb53 This change rejects IPv6 literals that do not appear at the start of the host subcomponent of a URL. For example: http://example.com[::1] -> rejects http://[::1] -> accepts Thanks to Masaki Hara (https://github.com/qnighy) of Wantedly. Updates #77578 Fixes #77970 Fixes CVE-2026-25679 Change-Id: I7109031880758f7c1eb4eca513323328feace33c Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3400 Reviewed-by: Neal Patel <nealpatel@google.com> Reviewed-by: Roland Shoemaker <bracewell@google.com> Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3622 Reviewed-on: https://go-review.googlesource.com/c/go/+/752080 Auto-Submit: Gopher Robot <gobot@golang.org> TryBot-Bypass: Gopher Robot <gobot@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Reviewed-by: Cherry Mui <cherryyz@google.com> 2026-03-04T18:38:52Z Michael Matloob matloob@golang.org 2026-02-27T18:03:36Z urn:sha1:e28ac674af90b079a7018ce8275885b3b5366d2a This restores the previous behavior of setting go directive to the toolchain's version as per #77653. For #77653 Fixes #77860 Change-Id: Ie9d2de025a75f39fd8d6d01776d0cf4e5da954f9 Reviewed-on: https://go-review.googlesource.com/c/go/+/749948 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Reviewed-by: Austin Clements <austin@google.com> 2026-03-03T02:06:21Z Cherry Mui cherryyz@google.com 2026-03-02T22:05:16Z urn:sha1:4d1051fdc9425deed04d63d78e073223ea9fa2cd Update x/tools vendor to the tip of internal-branch.go1.26-vendor branch (642dd50), to pull in recent fixes of the modernizer. Done by cd GOROOT/cmd go get golang.org/x/tools@internal-branch.go1.26-vendor go mod tidy go mod vendor Fixes #77766 Fixes #77803 Fixes #77804 Fixes #77805 Fixes #77807 Fixes #77849 Fixes #77899 Fixes #77904 Change-Id: Id7aa8c2247949bdc104898270a4ceb3eee68a818 Reviewed-on: https://go-review.googlesource.com/c/go/+/750761 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Alan Donovan <adonovan@google.com> 2026-02-27T21:48:25Z Damien Neil dneil@google.com 2026-02-26T17:54:33Z urn:sha1:8cce3ab20c49a5c3c9fa8e97ad47335c3ccd2620 When reading the contents of a directory using File.ReadDir or File.Readdir, the os.FileInfo was populated on Unix platforms using lstat. This lstat call is vulnerable to a TOCTOU race and could escape the root. For example: - Open the directory "dir" within a Root. This directory contains a file named "file". - Use File.ReadDir to list the contents of "dir", receiving a os.DirEntry for "dir/file". - Replace "dir" with a symlink to "/etc". - Use DirEntry.Info to retrieve the FileInfo for "dir/file". This FileInfo contains information on "/etc/file" instead. This escape permits identifying the presence or absence of files outside a Root, as well as retreiving stat metadata (size, mode, modification time, etc.) for files outside a Root. This escape does not permit reading or writing to files outside a Root. For #77827 Fixes #77834 Fixes CVE-2026-27139 Change-Id: I40004f830c588e516aff8ee593d630d36a6a6964 Reviewed-on: https://go-review.googlesource.com/c/go/+/749480 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Nicholas Husin <husin@google.com> Reviewed-by: Nicholas Husin <nsh@golang.org> Auto-Submit: Damien Neil <dneil@google.com> (cherry picked from commit 657ed934e85dc575aad51356c4b437961e7c1313) Reviewed-on: https://go-review.googlesource.com/c/go/+/749822 2026-02-26T19:45:11Z Keith Randall khr@golang.org 2026-02-11T01:44:08Z urn:sha1:ef041913a827cbd63a23c5029b87991c6e49529e Ensures that deeply nested structs that have the underlying shape of a pointer get unwrapped properly. Update #77536 Change-Id: I004f424d2c62ec7026281daded9b3d96c021e2e1 Reviewed-on: https://go-review.googlesource.com/c/go/+/747760 Reviewed-by: Mark Freeman <markfreeman@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: David Chase <drchase@google.com> (cherry picked from commit 1aa534dbb8970b86b0f4059b7665e3505d145e25) Reviewed-on: https://go-review.googlesource.com/c/go/+/749460 2026-02-26T18:36:00Z Keith Randall khr@golang.org 2026-02-11T01:44:08Z urn:sha1:155c25e249cab56f740aa93c81ebcb761dd32290 Normally we don't SSA-ify variables with types that have more than 4 fields. But we really do want to SSA-ify them if they are pointer shaped. An odd case, but the compiler shouldn't barf on them. Failure probably started with CL 714421. Fixes #77536 Change-Id: I51ef87676cc31df1e51e164bbd58d58c0ab72436 Reviewed-on: https://go-review.googlesource.com/c/go/+/744280 Reviewed-by: Junyang Shao <shaojunyang@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: David Chase <drchase@google.com> (cherry picked from commit 6435bf46c17dccb2eb5f7bab7dd8aa4972252b21) Reviewed-on: https://go-review.googlesource.com/c/go/+/749421 Reviewed-by: Mark Freeman <markfreeman@google.com>