gostls13.git log

commit c187a3d47c41d54bd570905caad128ba947e3d03 [browse]
Author: Dmitri Shuralyov
Date: 2020-09-01 09:01:09 -04:00

[release-branch.go1.14-security] go1.14.8

Change-Id: Ie582b6c53c6b120c56fbdd22b0c6946dd87f093b
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/835358
Reviewed-by: Filippo Valsorda <valsorda@google.com>

commit 8fcee8abbea1bb959c63a6944f9ddf490a97f802 [browse]
Author: Roberto Clapis
Date: 2020-08-26 08:53:03 +02:00

[release-branch.go1.14-security] net/http/cgi,net/http/fcgi: add Content-Type detection

This CL ensures that responses served via CGI and FastCGI
have a Content-Type header based on the content of the
response if not explicitly set by handlers.

If the implementers of the handler did not explicitly
specify a Content-Type both CGI implementations would default
to "text/html", potentially causing cross-site scripting.

Thanks to RedTeam Pentesting GmbH for reporting this.

Fixes CVE-2020-24553

Change-Id: I82cfc396309b5ab2e8d6e9a87eda8ea7e3799473
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/823217
Reviewed-by: Russ Cox <rsc@google.com>
(cherry picked from commit 23d675d07fdc56aafd67c0a0b63d5b7e14708ff0)
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/835312
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>

commit d571a77846dfee8efd076223a882915cd6cb52f4 [browse]
Author: Alexander Rakoczy
Date: 2020-08-06 10:07:05 -04:00

[release-branch.go1.14-security] go1.14.7

Change-Id: Ifad33b3ca723231ef1c80ff01db90fd35e322f3d
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/814548
Reviewed-by: Katie Hockman <katiehockman@google.com>

commit 51bb041f7cf17c5e8e10a7307521625437687b04 [browse]
Author: Katie Hockman
Date: 2020-08-04 11:45:32 -04:00

[release-branch.go1.14-security] encoding/binary: read at most MaxVarintLen64 bytes in ReadUvarint

This CL ensures that ReadUvarint consumes only a limited
amount of input (instead of an unbounded amount).

On some inputs, ReadUvarint could read an arbitrary number
of bytes before deciding to return an overflow error.
After this CL, ReadUvarint returns that same overflow
error sooner, after reading at most MaxVarintLen64 bytes.

Fix authored by Robert Griesemer and Filippo Valsorda.

Thanks to Diederik Loerakker, Jonny Rhea, Raúl Kripalani,
and Preston Van Loon for reporting this.

Fixes CVE-2020-16845

Change-Id: Ie0cb15972f14c38b7cf7af84c45c4ce54909bb8f
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/812099
Reviewed-by: Filippo Valsorda <valsorda@google.com>
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/812326

commit edfd6f28486017dcb136cd3f3ec252706d4b326e [browse]
Author: Andrew Bonventre
Date: 2020-07-16 17:41:54 -04:00

[release-branch.go1.14] go1.14.6

Change-Id: If9f503098056bd86b2bf51e3297b1bcecd8453bb
Reviewed-on: https://go-review.googlesource.com/c/go/+/243138
Run-TryBot: Andrew Bonventre <andybons@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>

clone the repository to get more history