go, branch go1.7rc2

[release-branch.go1.7] go1.7rc2

2016-07-18T15:36:41Z

Change-Id: I5473071f672f8352fbd3352e158d5be12823b58a Reviewed-on: https://go-review.googlesource.com/25017 Run-TryBot: Chris Broadfoot Reviewed-by: Brad Fitzpatrick

[release-branch.go1.7] net/http, net/http/cgi: fix for CGI + HTTP_PROXY security issue

2016-07-18T15:13:06Z

Because, * The CGI spec defines that incoming request header "Foo: Bar" maps to environment variable HTTP_FOO == "Bar". (see RFC 3875 4.1.18) * The HTTP_PROXY environment variable is conventionally used to configure the HTTP proxy for HTTP clients (and is respected by default for Go's net/http.Client and Transport) That means Go programs running in a CGI environment (as a child process under a CGI host) are vulnerable to an incoming request containing "Proxy: attacker.com:1234", setting HTTP_PROXY, and changing where Go by default proxies all outbound HTTP requests. This is CVE-2016-5386, aka https://httpoxy.org/ Fixes #16405 Change-Id: I6f68ade85421b4807785799f6d98a8b077e871f0 Reviewed-on: https://go-review.googlesource.com/25010 Run-TryBot: Chris Broadfoot TryBot-Result: Gobot Gobot Reviewed-by: Chris Broadfoot Reviewed-on: https://go-review.googlesource.com/25013

[release-branch.go1.7] runtime: fix nanotime for macOS Sierra

2016-07-08T03:48:20Z

In the beta version of the macOS Sierra (10.12) release, the gettimeofday system call changed on x86. Previously it always returned the time in the AX/DX registers. Now, if AX is returned as 0, it means that the system call has stored the values into the memory pointed to by the first argument, just as the libc gettimeofday function does. The libc function handles both cases, and we need to do so as well. Fixes #16272. Change-Id: Ibe5ad50a2c5b125e92b5a4e787db4b5179f6b723 Reviewed-on: https://go-review.googlesource.com/24812 Reviewed-by: Brad Fitzpatrick Reviewed-on: https://go-review.googlesource.com/24755 Reviewed-by: Chris Broadfoot

[release-branch.go1.7] go1.7rc1

2016-07-08T02:57:35Z

Change-Id: Ifbf1c13ce740428add68d68133c7f10876bad404 Reviewed-on: https://go-review.googlesource.com/24816 TryBot-Result: Gobot Gobot Reviewed-by: Andrew Gerrand

runtime: handle selects with duplicate channels in shrinkstack

2016-07-08T02:05:40Z

The shrinkstack code locks all the channels a goroutine is waiting for, but didn't handle the case of the same channel appearing in the list multiple times. This led to a deadlock. The channels are sorted so it's easy to avoid locking the same channel twice. Fixes #16286. Change-Id: Ie514805d0532f61c942e85af5b7b8ac405e2ff65 Reviewed-on: https://go-review.googlesource.com/24815 Run-TryBot: Ian Lance Taylor TryBot-Result: Gobot Gobot Reviewed-by: Austin Clements

lib/time: update to IANA release 2016f (July 2016)

2016-07-07T16:15:13Z

Fixes #16273 Change-Id: I443e1f254fd683c4ff61beadae89c1c45ff5d972 Reviewed-on: https://go-review.googlesource.com/24744 Reviewed-by: Andrew Gerrand Run-TryBot: Brad Fitzpatrick TryBot-Result: Gobot Gobot Reviewed-by: Quentin Smith Reviewed-by: Ian Lance Taylor

net/http: deflake TestClientRedirectContext

2016-07-07T04:06:52Z

The test was checking for 1 of 2 possible error values. But based on goroutine scheduling and the randomness of select statement receive cases, it was possible for a 3rd type of error to be returned. This modifies the code (not the test) to make that third type of error actually the second type of error, which is a nicer error message. The test is no longer flaky. The flake was very reproducible with a 5ms sleep before the select at the end of Transport.getConn. Thanks to Github user @jaredborner for debugging. Fixes #16049 Change-Id: I0d2a036c9555a8d2618b07bab01f28558d2b0b2c Reviewed-on: https://go-review.googlesource.com/24748 Reviewed-by: Andrew Gerrand Run-TryBot: Brad Fitzpatrick TryBot-Result: Gobot Gobot

path/filepath: fix typo in comment

2016-07-07T02:59:09Z

Change-Id: I0c76e8deae49c1149647de421503c5175028b948 Reviewed-on: https://go-review.googlesource.com/24781 Run-TryBot: Ian Lance Taylor TryBot-Result: Gobot Gobot Reviewed-by: Brad Fitzpatrick

path/filepath: document Clean behavior for each function

2016-07-06T23:22:31Z

Document explicitly which functions Clean the result rather than documenting it in the package comment. Updates #10122. Fixes #16111. Change-Id: Ia589c7ee3936c9a6a758725ac7f143054d53e41e Reviewed-on: https://go-review.googlesource.com/24747 Run-TryBot: Ian Lance Taylor TryBot-Result: Gobot Gobot Reviewed-by: Brad Fitzpatrick

cmd/compile, syscall: add //go:uintptrescapes comment, and use it

2016-07-06T20:48:41Z

This new comment can be used to declare that the uintptr arguments to a function may be converted from pointers, and that those pointers should be considered to escape. This is used for the Call methods in dll_windows.go that take uintptr arguments, because they call Syscall. We can't treat these functions as we do syscall.Syscall, because unlike Syscall they may cause the stack to grow. For Syscall we can assume that stack arguments can remain on the stack, but for these functions we need them to escape. Fixes #16035. Change-Id: Ia0e5b4068c04f8d303d95ab9ea394939f1f57454 Reviewed-on: https://go-review.googlesource.com/24551 Reviewed-by: David Chase Run-TryBot: Ian Lance Taylor TryBot-Result: Gobot Gobot