gostls13.git log

commit b2967c0e5c5271bb4469e1f615fb85879ebd8a57 [browse]
Author: Dmitri Shuralyov
Date: 2019-08-13 11:23:32 -04:00

[release-branch.go1.11-security] go1.11.13

Change-Id: Idf5f9d00388b0da77f2c2ce3650eb65271bd9e68
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/526996
Reviewed-by: Filippo Valsorda <valsorda@google.com>

commit df86e1945e96829e62b77518d03e0fc726d2d48f [browse]
Author: Dmitri Shuralyov
Date: 2019-08-13 10:27:29 -04:00

[release-branch.go1.11-security] doc: document Go 1.11.13

Change-Id: I0daab6cd347e1fc0066e516f02c33f1b63e3f1a3
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/526992
Reviewed-by: Filippo Valsorda <valsorda@google.com>
(cherry picked from commit 685bfb1adec3d9fcb589f35eb2bc0b99d2f84bf0)
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/526994

commit c1d9ca70995dc232a2145e3214f94e03409f6fcc [browse]
Author: Filippo Valsorda
Date: 2019-08-06 19:32:16 -04:00

[release-branch.go1.11-security] net/url: make Hostname and Port predictable for invalid Host values

When Host is not valid per RFC 3986, the behavior of Hostname and Port
was wildly unpredictable, to the point that Host could have a suffix
that didn't appear in neither Hostname nor Port.

This is a security issue when applications are applying checks to Host
and expecting them to be meaningful for the contents of Hostname.

To reduce disruption, this change only aims to guarantee the following
two security-relevant invariants.

* Host is either Hostname or [Hostname] with Port empty, or
  Hostname:Port or [Hostname]:Port.

* Port is only decimals.

The second invariant is the one that's most likely to cause disruption,
but I believe it's important, as it's conceivable an application might
do a suffix check on Host and expect it to be meaningful for the
contents of Hostname (if the suffix is not a valid port).

There are three ways to ensure it.

1) Reject invalid ports in Parse. Note that non-numeric ports are
   already rejected if and only if the host starts with "[".

2) Consider non-numeric ports as part of Hostname, not Port.

3) Allow non-numeric ports, and hope they only flow down to net/http,
   which will reject them (#14353).

This change adopts both 1 and 2. We could do only the latter, but then
these invalid hosts would flow past port checks, like in
http_test.TestTransportRejectsAlphaPort. Non-numeric ports weren't fully
supported anyway, because they were rejected after IPv6 literals, so
this restores consistency. We could do only the former, but at this
point 2) is free and might help with manually constructed Host values
(or if we get something wrong in Parse).

Note that net.SplitHostPort and net.Dial explicitly accept service names
in place of port numbers, but this is an URL package, and RFC 3986,
Section 3.2.3, clearly specifies ports as a number in decimal.

net/http uses a mix of net.SplitHostPort and url.Parse that would
deserve looking into, but in general it seems that it will still accept
service names in Addr fields as they are passed to net.Listen, while
rejecting them in URLs, which feels correct.

This leaves a number of invalid URLs to reject, which however are not
security relevant once the two invariants above hold, so can be done in
Go 1.14: IPv6 literals without brackets (#31024), invalid IPv6 literals,
hostnames with invalid characters, and more.

Tested with 200M executions of go-fuzz and the following Fuzz function.

	u, err := url.Parse(string(data))
	if err != nil {
		return 0
	}
	h := u.Hostname()
	p := u.Port()

	switch u.Host {
	case h + ":" + p:
		return 1
	case "[" + h + "]:" + p:
		return 1
	case h:
		fallthrough
	case "[" + h + "]":
		if p != "" {
			panic("unexpected Port()")
		}
		return 1
	}
	panic("Host is not a variant of [Hostname]:Port")

Fixes CVE-2019-14809
Updates #29098

Change-Id: I7ef40823dab28f29511329fa2d5a7fb10c3ec895
Reviewed-on: https://go-review.googlesource.com/c/go/+/189258
Reviewed-by: Ian Lance Taylor <iant@golang.org>
(cherry picked from commit 61bb56ad63992a3199acc55b2537c8355ef887b6)
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/526408
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
(cherry picked from commit 3226f2d492963d361af9dfc6714ef141ba606713)
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/526409

commit e152b01a468a1c18a290bf9aec52ccea7693c7f2 [browse]
Author: Filippo Valsorda
Date: 2019-08-12 16:59:30 -04:00

[release-branch.go1.11-security] net/http: update bundled http2 to import security fix

Apply the following unpublished golang.org/x/net commit.

    commit b1cc14aba47abf96f96818003fa4caad3a4b4e86
    Author: Filippo Valsorda <filippo@golang.org>
    Date:   Sun Aug 11 02:12:18 2019 -0400

    [release-branch.go1.11] http2: limit number of control frames in server send queue

    An attacker could cause servers to queue an unlimited number of PING
    ACKs or RST_STREAM frames by soliciting them and not reading them, until
    the program runs out of memory.

    Limit control frames in the queue to a few thousands (matching the limit
    imposed by other vendors) by counting as they enter and exit the scheduler,
    so the protection will work with any WriteScheduler.

    Once the limit is exceeded, close the connection, as we have no way to
    communicate with the peer.

    Change-Id: I842968fc6ed3eac654b497ade8cea86f7267886b
    Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/525552
    Reviewed-by: Brad Fitzpatrick <bradfitz@google.com>
    (cherry picked from commit 589ad6cc5321fb68a90370348a241a5da0a2cc80)
    Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/526070
    Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>

Fixes CVE-2019-9512 and CVE-2019-9514
Updates #33606

Change-Id: Iecedf1cc63ec7a1cd75661ec591d91ebc911cc64
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/526072
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>

commit 4128f163d6dca1b8d703da8cf86ef679608856a0 [browse]
Author: Alexander Rakoczy
Date: 2019-07-08 15:42:12 -04:00

[release-branch.go1.11] go1.11.12

Change-Id: I7d61b51d4b1b522315370bd17483feab24a2c7bb
Reviewed-on: https://go-review.googlesource.com/c/go/+/185260
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
Run-TryBot: Alexander Rakoczy <alex@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>

clone the repository to get more history