- 09 Jan, 2020 2 commits
-
-
Carlos Amedee authored
Change-Id: I6e47da51c3687ae9590554d003d803270f50911e Reviewed-on: https://go-review.googlesource.com/c/go/+/214082 Run-TryBot: Carlos Amedee <carlos@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Alexander Rakoczy <alex@golang.org>
-
Carlos Amedee authored
Change-Id: I3b2c26d4818ca28a71a7fd6927a0c39c9253f06f Reviewed-on: https://go-review.googlesource.com/c/go/+/214079Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org> Reviewed-by: Alexander Rakoczy <alex@golang.org> Run-TryBot: Dmitri Shuralyov <dmitshur@golang.org> Run-TryBot: Alexander Rakoczy <alex@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>
-
- 08 Jan, 2020 1 commit
-
-
Cherry Zhang authored
If a pointer write is not atomic, if the GC is running concurrently, it may observe a partially updated pointer, which may point to unallocated or already dead memory. Most pointer writes, like the store instructions generated by the compiler, are already atomic. But we still need to be careful in places like memmove. In memmove, we don't know which bits are pointers (or too expensive to query), so we ensure that all aligned pointer-sized units are written atomically. Fixes #36367. Updates #36101. Change-Id: I1b3ca24c6b1ac8a8aaf9ee470115e9a89ec1b00b Reviewed-on: https://go-review.googlesource.com/c/go/+/212626Reviewed-by: Austin Clements <austin@google.com> (cherry picked from commit ffbc0276) Reviewed-on: https://go-review.googlesource.com/c/go/+/213684 Run-TryBot: Cherry Zhang <cherryyz@google.com> TryBot-Result: Gobot Gobot <gobot@golang.org>
-
- 07 Jan, 2020 1 commit
-
-
Bryan C. Mills authored
Previously, we accidentally wrote the Proxy-Authorization header for the initial CONNECT request to the shared ProxyConnectHeader map when it was non-nil. Updates #36431 Fixes #36433 Change-Id: I5cb414f391dddf8c23d85427eb6973f14c949025 Reviewed-on: https://go-review.googlesource.com/c/go/+/213638 Run-TryBot: Bryan C. Mills <bcmills@google.com> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> (cherry picked from commit 249c85d3) Reviewed-on: https://go-review.googlesource.com/c/go/+/213677
-
- 03 Jan, 2020 2 commits
-
-
Jason A. Donenfeld authored
[release-branch.go1.12] runtime: do not use PowerRegisterSuspendResumeNotification on systems with "program time" timer Systems where PowerRegisterSuspendResumeNotification returns ERROR_ FILE_NOT_FOUND are also systems where nanotime() is on "program time" rather than "real time". The chain for this is: powrprof.dll!PowerRegisterSuspendResumeNotification -> umpdc.dll!PdcPortOpen -> ntdll.dll!ZwAlpcConnectPort("\\PdcPort") -> syscall -> ntoskrnl.exe!AlpcpConnectPort Opening \\.\PdcPort fails with STATUS_OBJECT_NAME_NOT_FOUND when pdc.sys hasn't been initialized. Pdc.sys also provides the various hooks for sleep resumption events, which means if it's not loaded, then our "real time" timer is actually on "program time". Finally STATUS_OBJECT_NAME_ NOT_FOUND is passed through RtlNtStatusToDosError, which returns ERROR_ FILE_NOT_FOUND. Therefore, in the case where the function returns ERROR_ FILE_NOT_FOUND, we don't mind, since the timer we're using will correspond fine with the lack of sleep resumption notifications. This applies, for example, to Docker users. Updates #35447 Updates #35482 Fixes #36377 Change-Id: I9e1ce5bbc54b9da55ff7a3918b5da28112647eee Reviewed-on: https://go-review.googlesource.com/c/go/+/208317Reviewed-by: Jason A. Donenfeld <Jason@zx2c4.com> Reviewed-by: Austin Clements <austin@google.com> Run-TryBot: Jason A. Donenfeld <Jason@zx2c4.com> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-on: https://go-review.googlesource.com/c/go/+/213198
-
Jason A. Donenfeld authored
Starting in Windows 8, the wait functions don't take into account suspend time, even though the monotonic counters do. This results in timer buckets stalling on resume. Therefore, this commit makes it so that on resume, we return from the wait functions and recalculate the amount of time left to wait. This is a cherry pick of CL 191957 and its cleanup, CL 198417. Updates #31528 Fixes #36376 Change-Id: I0db02cc72188cb620954e87a0180e0a3c83f4a56 Reviewed-on: https://go-review.googlesource.com/c/go/+/193607 Run-TryBot: Jason A. Donenfeld <Jason@zx2c4.com> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Austin Clements <austin@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/213197
-
- 11 Dec, 2019 1 commit
-
-
Bryan C. Mills authored
The test for gopkg.in/yaml.v2@v2 assumes that there are no future upstream releases. That assumption empirically does not hold. Backporting fixes to this test is annoying, and other gopkg.in cases are already reasonably covered, so remove the problematic test. Updates #28856 Change-Id: I6455baa1816ac69e02d1ad5d03b82a93e1481a17 Reviewed-on: https://go-review.googlesource.com/c/go/+/205437 Run-TryBot: Bryan C. Mills <bcmills@google.com> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> (cherry picked from commit f0390ffc) Reviewed-on: https://go-review.googlesource.com/c/go/+/205439Reviewed-by: Alexander Rakoczy <alex@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>
-
- 09 Dec, 2019 1 commit
-
-
Dmitri Shuralyov authored
Not all closed issues in a given minor milestone are included in that release, only the ones that have been labeled as CherryPickApproved are. Update the links to the GitHub issue tracker to include a filter on the CherryPickApproved label, so that the default view shows only the backports that were included in a given release. This should more useful to most people than seeing all backports (considered and approved). Do this only for Go 1.9.1 and newer releases, as that is when we started using the CherryPickCandidate and CherryPickApproved labels. Updates #35988 Fixes #36002 Change-Id: I51e07c1bc3ab9c4a5744e8f668c5470adf78bffe Reviewed-on: https://go-review.googlesource.com/c/go/+/210118 Run-TryBot: Dmitri Shuralyov <dmitshur@golang.org> Reviewed-by: Alexander Rakoczy <alex@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>
-
- 04 Dec, 2019 4 commits
-
-
Carlos Amedee authored
Change-Id: I3f3fcee395bd3f9bdb6ad4028506ac90fb84c388 Reviewed-on: https://go-review.googlesource.com/c/go/+/209897 Run-TryBot: Carlos Amedee <carlos@golang.org> Run-TryBot: Alexander Rakoczy <alex@golang.org> Reviewed-by: Alexander Rakoczy <alex@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>
-
Carlos Amedee authored
Change-Id: I3641a086f167a1337aaaacd2d758b6a42b84a7fb Reviewed-on: https://go-review.googlesource.com/c/go/+/209845 Run-TryBot: Carlos Amedee <carlos@golang.org> Run-TryBot: Alexander Rakoczy <alex@golang.org> Reviewed-by: Alexander Rakoczy <alex@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> (cherry picked from commit 98e7270a) Reviewed-on: https://go-review.googlesource.com/c/go/+/209846
-
Carlos Amedee authored
Change-Id: I7589ef4bdac776c8f141e9cc60f59f8643649310 Reviewed-on: https://go-review.googlesource.com/c/go/+/209840Reviewed-by: Alexander Rakoczy <alex@golang.org> Run-TryBot: Alexander Rakoczy <alex@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> (cherry picked from commit f805b05b) Reviewed-on: https://go-review.googlesource.com/c/go/+/209842 Run-TryBot: Carlos Amedee <carlos@golang.org>
-
Lynn Boger authored
If a compilation has multiple text sections, code in textOff must compare the offset argument against the range for each text section to determine which one it is in. The comparison looks like this: if uintptr(off) >= sectaddr && uintptr(off) <= sectaddr+sectlen If the off value being compared is equal to sectaddr+sectlen then it is not within the range of the text section but after it. The comparison should be just '<'. Fixes #35210 Change-Id: I114633fd734563d38f4e842dd884c6c239f73c95 Reviewed-on: https://go-review.googlesource.com/c/go/+/203817 Run-TryBot: Lynn Boger <laboger@linux.vnet.ibm.com> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Ian Lance Taylor <iant@golang.org> Reviewed-by: Cherry Zhang <cherryyz@google.com> (cherry picked from commit 0ae93896) Reviewed-on: https://go-review.googlesource.com/c/go/+/203818 Run-TryBot: Carlos Amedee <carlos@golang.org> Reviewed-by: Keith Randall <khr@golang.org>
-
- 22 Nov, 2019 1 commit
-
-
Andrew authored
Binary files included in testdata directories can cause Apple’s notarization service to reject us since they don’t abide by their strict requirements. To emulate go mod vendor, remove all _test.go and testdata files from the vendor directory and update the instructions. Updates #34986 Fixes #35747 Change-Id: I5cde905fc78838d2e3b1519dab4aeee13d8d5356 Reviewed-on: https://go-review.googlesource.com/c/go/+/208227 Run-TryBot: Andrew Bonventre <andybons@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Alexander Rakoczy <alex@golang.org>
-
- 21 Nov, 2019 1 commit
-
-
Andrew authored
Starting with macOS 10.15 (Catalina), Apple now requires all software distributed outside of the App Store to be notarized. Any binaries we distribute must abide by a strict set of requirements like code-signing and having a minimum target SDK of 10.9 (amongst others). Apple’s notarization service will recursively inspect archives looking to find notarization candidate binaries. If it finds a binary that does not meet the requirements or is unable to decompress an archive, it will reject the entire distribution. From cursory testing, it seems that the service uses content sniffing to determine file types, so changing the file extension will not work. There are some binaries and archives included in our distribution that are being detected by Apple’s service as potential candidates for notarization or decompression. As these are files used by tests and some are intentionally invalid, we don’t intend to ever make them compliant. As a workaround for this, we base64-encode any binaries or archives that Apple’s notarization service issues a warning for, as these warnings will become errors in January 2020. Updates #34986 Updates #35747 Change-Id: I106fbb6227b61eb221755568f047ee11103c1680 Reviewed-on: https://go-review.googlesource.com/c/go/+/208118 Run-TryBot: Andrew Bonventre <andybons@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> (cherry picked from commit 8bbfc51d) Reviewed-on: https://go-review.googlesource.com/c/go/+/208220Reviewed-by: Alexander Rakoczy <alex@golang.org>
-
- 31 Oct, 2019 2 commits
-
-
Andrew Bonventre authored
Change-Id: Ic4db4625c4b7031aa08cb235f526267058a50430 Reviewed-on: https://go-review.googlesource.com/c/go/+/204641 Run-TryBot: Andrew Bonventre <andybons@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Alexander Rakoczy <alex@golang.org>
-
Andrew Bonventre authored
Change-Id: Ic65a74e56320adbd76aeef1cf3b19d7906ffe8fe Reviewed-on: https://go-review.googlesource.com/c/go/+/204639 Run-TryBot: Andrew Bonventre <andybons@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>
-
- 17 Oct, 2019 5 commits
-
-
Alexander Rakoczy authored
Change-Id: I3494e831beac93e322788f7bd76948b52f769f37 Reviewed-on: https://go-review.googlesource.com/c/go/+/201822 Run-TryBot: Alexander Rakoczy <alex@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Katie Hockman <katie@golang.org>
-
Alexander Rakoczy authored
Change-Id: I832ba5f32d513b586bb0b02371231786b25631e3 Reviewed-on: https://go-review.googlesource.com/c/go/+/201817Reviewed-by: Andrew Bonventre <andybons@golang.org> (cherry picked from commit 58e8f789) Reviewed-on: https://go-review.googlesource.com/c/go/+/201821
-
Katie Hockman authored
Change-Id: Ied19fb5f182670c9dc3bd15327d461b203187cf6
-
Katie Hockman authored
Change-Id: I8421754104cb795270dbcb6f554ed3a78a719483 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/575988Reviewed-by: Filippo Valsorda <valsorda@google.com>
-
Katie Hockman authored
Change-Id: I73f27924046a0a2493330ddc732d1a2fd3f730a5 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/575981Reviewed-by: Filippo Valsorda <valsorda@google.com> Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/575985
-
- 16 Oct, 2019 1 commit
-
-
Katie Hockman authored
dsa.Verify might currently use a nil s inverse in a multiplication if the public key contains a non-prime Q, causing a panic. Change this to check that the mod inverse exists before using it. Fixes CVE-2019-17596 Change-Id: I94d5f3cc38f1b5d52d38dcb1d253c71b7fd1cae7 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/572809Reviewed-by: Filippo Valsorda <valsorda@google.com> (cherry picked from commit 9119dfb0511326d4485b248b83d4fde19c95d0f7) Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/575232
-
- 09 Oct, 2019 4 commits
-
-
Bryan C. Mills authored
[release-branch.go1.12] cmd/vendor/golang.org/x/arch/arm64/arm64asm: recognise new ssbb/pssbb mnemonics from objdump This patches in CL 136455 from the 'arch' repo. Commands run: ~/go/src/cmd$ GOPATH=$(../../bin/go env GOROOT) govendor fetch golang.org/x/arch/arm64/arm64asm@b19384d3c130858bb31a343ea8fce26be71b5998 Updates #27754 Fixes #31305 Change-Id: I8fcc3bc3c718cf0d93afbd1d383df48316b522d4 Reviewed-on: https://go-review.googlesource.com/136455 Run-TryBot: Michael Hudson-Doyle <michael.hudson@canonical.com> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Cherry Zhang <cherryyz@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/200057 Run-TryBot: Bryan C. Mills <bcmills@google.com>
-
Michael Munday authored
On Ubuntu 18.04 I am seeing GDB fail to restore the stack pointer during this test because stack unwinding can't find the PC. This CL is essentially a partial revert of CL 23940 and fixes the issue on s390x. Fixes #33757 Change-Id: Ib4c41162dc85dc882eb6e248330f4082c3fa94c3 Reviewed-on: https://go-review.googlesource.com/c/go/+/169857 Run-TryBot: Cherry Zhang <cherryyz@google.com> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Cherry Zhang <cherryyz@google.com> (cherry picked from commit d91f7e66) Reviewed-on: https://go-review.googlesource.com/c/go/+/200039 Run-TryBot: Katie Hockman <katie@golang.org> Reviewed-by: Bryan C. Mills <bcmills@google.com> Reviewed-by: Michael Munday <mike.munday@ibm.com>
-
Tobias Klauser authored
Update the expected data to fix the longtest builder. Updates #28856 Change-Id: I7fb6ee72e8469d974561b4b4057f40142f5b3654 Reviewed-on: https://go-review.googlesource.com/c/go/+/198557 Run-TryBot: Tobias Klauser <tobias.klauser@gmail.com> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org> (cherry picked from commit 64785bf9) Reviewed-on: https://go-review.googlesource.com/c/go/+/198700 Run-TryBot: Bryan C. Mills <bcmills@google.com> (cherry picked from commit 17a492fdd5560a1b6e640a47a9ca83d2853341df) Reviewed-on: https://go-review.googlesource.com/c/go/+/200038
-
Bryan C. Mills authored
Updates #30571 Fixes #34789 Change-Id: Id4c74e83ee58a080d1c2894ae5ebdbf4aeb1ce42 Reviewed-on: https://go-review.googlesource.com/c/go/+/167084 Run-TryBot: Bryan C. Mills <bcmills@google.com> Reviewed-by: Jay Conrod <jayconrod@google.com> TryBot-Result: Gobot Gobot <gobot@golang.org> (cherry picked from commit bd680d94) Reviewed-on: https://go-review.googlesource.com/c/go/+/200037
-
- 08 Oct, 2019 1 commit
-
-
Bryan C. Mills authored
TestGoGetInsecure verifies that 'go get -insecure' can fetch a particular package. However, the GOPROXY protocol does not provide a means for proxies to indicate packages as insecure; thus, proxies cannot safely serve those packages. This also squashes the typo fix from CL 167086. Updates #30571 Fixes #33758 Change-Id: I447776dff98bd8ee6eb5055b897b9c7d293e3423 Reviewed-on: https://go-review.googlesource.com/c/go/+/165745 Run-TryBot: Bryan C. Mills <bcmills@google.com> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-on: https://go-review.googlesource.com/c/go/+/199820 Run-TryBot: Filippo Valsorda <filippo@golang.org> Reviewed-by: Bryan C. Mills <bcmills@google.com>
-
- 03 Oct, 2019 1 commit
-
-
Brad Fitzpatrick authored
If a request for a PTR record returned a response with a non-PTR answer, goLookupPTR would loop forever. Skipping non-PTR answers guarantees progress through the DNS response. Fixes #34661 Updates #34660 Change-Id: Ib5e5263243bc34b9e2f85aa2b913c9cd50dbcaa5 Reviewed-on: https://go-review.googlesource.com/c/go/+/198497 Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Emmanuel Odeke <emm.odeke@gmail.com>
-
- 26 Sep, 2019 1 commit
-
-
Filippo Valsorda authored
Change-Id: I6c822dfc305d629022c7da21ab399367bf021cf7
-
- 25 Sep, 2019 3 commits
-
-
Filippo Valsorda authored
Change-Id: I64d76a35ad113110cb83117c6ce5d4d923d93c93 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/558789Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
-
Filippo Valsorda authored
Change-Id: If694ce529393b8ae9c6c55270665efc3a108a3b2 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/558778Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/558784
-
Filippo Valsorda authored
[release-branch.go1.12-security] net/textproto: don't normalize headers with spaces before the colon RFC 7230 is clear about headers with a space before the colon, like X-Answer : 42 being invalid, but we've been accepting and normalizing them for compatibility purposes since CL 5690059 in 2012. On the client side, this is harmless and indeed most browsers behave the same to this day. On the server side, this becomes a security issue when the behavior doesn't match that of a reverse proxy sitting in front of the server. For example, if a WAF accepts them without normalizing them, it might be possible to bypass its filters, because the Go server would interpret the header differently. Worse, if the reverse proxy coalesces requests onto a single HTTP/1.1 connection to a Go server, the understanding of the request boundaries can get out of sync between them, allowing an attacker to tack an arbitrary method and path onto a request by other clients, including authentication headers unknown to the attacker. This was recently presented at multiple security conferences: https://portswigger.net/blog/http-desync-attacks-request-smuggling-reborn net/http servers already reject header keys with invalid characters. Simply stop normalizing extra spaces in net/textproto, let it return them unchanged like it does for other invalid headers, and let net/http enforce RFC 7230, which is HTTP specific. This loses us normalization on the client side, but there's no right answer on the client side anyway, and hiding the issue sounds worse than letting the application decide. Fixes CVE-2019-16276 Change-Id: I6d272de827e0870da85d93df770d6a0e161bbcf1 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/549719Reviewed-by: Brad Fitzpatrick <bradfitz@google.com> (cherry picked from commit 1280b868e82bf173ea3e988be3092d160ee66082) Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/558776Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
-
- 06 Sep, 2019 1 commit
-
-
Clément Chigot authored
This commit changes sendmsg, recvmsg to use nsendmsg, nrecvmsg on AIX. These syscalls support the new msghdr structure (with Control and Controllen) which is needed for golang.org/x/net. Also define SockaddrDataLink. Fixes #33982 Change-Id: I233fbd24f9eb86648e0d4d50c2b56da3626292d0 Reviewed-on: https://go-review.googlesource.com/c/go/+/170537 Run-TryBot: Ian Lance Taylor <iant@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Tobias Klauser <tobias.klauser@gmail.com> (cherry picked from commit e014184c) Reviewed-on: https://go-review.googlesource.com/c/go/+/193608Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
-
- 26 Aug, 2019 1 commit
-
-
obei authored
Updates #33738 Change-Id: If0856d7c57ecfde08341c1aecb5e92361fd64f2b Reviewed-on: https://go-review.googlesource.com/c/go/+/191217Reviewed-by: Andrew Bonventre <andybons@golang.org> Run-TryBot: Andrew Bonventre <andybons@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> (cherry picked from commit cded9f43) Reviewed-on: https://go-review.googlesource.com/c/go/+/191748Reviewed-by: Katie Hockman <katie@golang.org>
-
- 15 Aug, 2019 2 commits
-
-
Dmitri Shuralyov authored
Change-Id: I70dc0e2accd83d9c974b95075f9e83a82d89563d Reviewed-on: https://go-review.googlesource.com/c/go/+/190407 Run-TryBot: Dmitri Shuralyov <dmitshur@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Alexander Rakoczy <alex@golang.org>
-
Dmitri Shuralyov authored
Change-Id: I88b7e085fc70f9c021788d364099f5bc6b705ba8 Reviewed-on: https://go-review.googlesource.com/c/go/+/190438Reviewed-by: Filippo Valsorda <filippo@golang.org> (cherry picked from commit 0212f041) Reviewed-on: https://go-review.googlesource.com/c/go/+/190406Reviewed-by: Alexander Rakoczy <alex@golang.org>
-
- 13 Aug, 2019 3 commits
-
-
Filippo Valsorda authored
Change-Id: I29801b98d975da0bbc092b16dc9771564a39a10a
-
Dmitri Shuralyov authored
Change-Id: I131f93770f9bc5f2d4ee73f158607c1c9e1550bb Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/527000Reviewed-by: Filippo Valsorda <valsorda@google.com>
-
Dmitri Shuralyov authored
Change-Id: I0daab6cd347e1fc0066e516f02c33f1b63e3f1a3 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/526992Reviewed-by: Filippo Valsorda <valsorda@google.com> (cherry picked from commit 685bfb1adec3d9fcb589f35eb2bc0b99d2f84bf0) Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/526993
-
- 12 Aug, 2019 1 commit
-
-
Filippo Valsorda authored
[release-branch.go1.12-security] net/url: make Hostname and Port predictable for invalid Host values When Host is not valid per RFC 3986, the behavior of Hostname and Port was wildly unpredictable, to the point that Host could have a suffix that didn't appear in neither Hostname nor Port. This is a security issue when applications are applying checks to Host and expecting them to be meaningful for the contents of Hostname. To reduce disruption, this change only aims to guarantee the following two security-relevant invariants. * Host is either Hostname or [Hostname] with Port empty, or Hostname:Port or [Hostname]:Port. * Port is only decimals. The second invariant is the one that's most likely to cause disruption, but I believe it's important, as it's conceivable an application might do a suffix check on Host and expect it to be meaningful for the contents of Hostname (if the suffix is not a valid port). There are three ways to ensure it. 1) Reject invalid ports in Parse. Note that non-numeric ports are already rejected if and only if the host starts with "[". 2) Consider non-numeric ports as part of Hostname, not Port. 3) Allow non-numeric ports, and hope they only flow down to net/http, which will reject them (#14353). This change adopts both 1 and 2. We could do only the latter, but then these invalid hosts would flow past port checks, like in http_test.TestTransportRejectsAlphaPort. Non-numeric ports weren't fully supported anyway, because they were rejected after IPv6 literals, so this restores consistency. We could do only the former, but at this point 2) is free and might help with manually constructed Host values (or if we get something wrong in Parse). Note that net.SplitHostPort and net.Dial explicitly accept service names in place of port numbers, but this is an URL package, and RFC 3986, Section 3.2.3, clearly specifies ports as a number in decimal. net/http uses a mix of net.SplitHostPort and url.Parse that would deserve looking into, but in general it seems that it will still accept service names in Addr fields as they are passed to net.Listen, while rejecting them in URLs, which feels correct. This leaves a number of invalid URLs to reject, which however are not security relevant once the two invariants above hold, so can be done in Go 1.14: IPv6 literals without brackets (#31024), invalid IPv6 literals, hostnames with invalid characters, and more. Tested with 200M executions of go-fuzz and the following Fuzz function. u, err := url.Parse(string(data)) if err != nil { return 0 } h := u.Hostname() p := u.Port() switch u.Host { case h + ":" + p: return 1 case "[" + h + "]:" + p: return 1 case h: fallthrough case "[" + h + "]": if p != "" { panic("unexpected Port()") } return 1 } panic("Host is not a variant of [Hostname]:Port") Fixes CVE-2019-14809 Updates #29098 Change-Id: I7ef40823dab28f29511329fa2d5a7fb10c3ec895 Reviewed-on: https://go-review.googlesource.com/c/go/+/189258Reviewed-by: Ian Lance Taylor <iant@golang.org> (cherry picked from commit 61bb56ad) Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/526408Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
-