net/url: reject IPv6 literal not at start of host - go - Fork of Go programming language with my patches.

diff options

author	Ian Alexander <jitsu@google.com>	2026-01-28 15:29:52 -0500
committer	Cherry Mui <cherryyz@google.com>	2026-03-05 17:05:02 -0800
commit	36d8b15842748194c4a2ce7e9cf46c65a958283c (patch)
tree	b0e9b4032ac78ad7625a3d13c0e846b8032dc833 /src/html/template/attr_string.go
parent	4270a44ed749c581457eed30239ad79195ff39c9 (diff)
download	go-36d8b15842748194c4a2ce7e9cf46c65a958283c.tar.xz

net/url: reject IPv6 literal not at start of host

This change rejects IPv6 literals that do not appear at the start of the host subcomponent of a URL. For example: http://example.com[::1] -> rejects http://[::1] -> accepts Thanks to Masaki Hara (https://github.com/qnighy) of Wantedly. Fixes #77578. Fixes CVE-2026-25679. Change-Id: I7109031880758f7c1eb4eca513323328feace33c Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3400 Reviewed-by: Neal Patel <nealpatel@google.com> Reviewed-by: Roland Shoemaker <bracewell@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/752180 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>

Diffstat (limited to 'src/html/template/attr_string.go')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: