gostls13.git log

commit 23991f50b34f8707bcfc7761321bb3b0e9dba10e [browse]
Author: Than McIntosh
Date: 2021-11-04 08:59:03 -04:00

[release-branch.go1.16] go1.16.10

Change-Id: I872971806a723e6add42bb78f91a8ef8586f3d58
Reviewed-on: https://go-review.googlesource.com/c/go/+/361199
Trust: Than McIntosh <thanm@google.com>
Run-TryBot: Than McIntosh <thanm@google.com>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>

commit 88407a8dd98411f1730907dc8a69b99488af0052 [browse]
Author: Jason7602
Date: 2021-09-14 21:38:19 +08:00

[release-branch.go1.16] archive/zip: don't panic on (*Reader).Open

Previously, opening a zip with (*Reader).Open could result in a panic if
the zip contained a file whose name was exclusively made up of slash
characters or ".." path elements.

Open could also panic if passed the empty string directly as an argument.

Now, any files in the zip whose name could not be made valid for
fs.FS.Open will be skipped, and no longer added to the fs.FS file list,
although they are still accessible through (*Reader).File.

Note that it was already the case that a file could be accessible from
(*Reader).Open with a name different from the one in (*Reader).File, as
the former is the cleaned name, while the latter is the original one.

Finally, made the actual panic site robust as a defense-in-depth measure.

Fixes CVE-2021-41772
Fixes #48251
Updates #48085

Co-authored-by: Filippo Valsorda <filippo@golang.org>
Change-Id: I6271a3f2892e7746f52e213b8eba9a1bba974678
Reviewed-on: https://go-review.googlesource.com/c/go/+/349770
Run-TryBot: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Katie Hockman <katie@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Trust: Katie Hockman <katie@golang.org>
Trust: Julie Qiu <julie@golang.org>
(cherry picked from commit b24687394b55a93449e2be4e6892ead58ea9a10f)
Reviewed-on: https://go-review.googlesource.com/c/go/+/360858
Trust: Dmitri Shuralyov <dmitshur@golang.org>
Run-TryBot: Dmitri Shuralyov <dmitshur@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>

commit 631b56767cdcfb3deb0ba9c6036065c60fd43f07 [browse]
Author: Dmitri Shuralyov
Date: 2021-10-29 13:15:55 -04:00

[release-branch.go1.16] net/http: update bundled golang.org/x/net/http2

Pull in approved backports to golang.org/x/net/http2:

	d8c3cde set ContentLength to -1 for HEAD response with no Content-Length
	7b24c0a set Response.ContentLength to 0 when headers end stream
	c4031f5 don't abort half-closed streams on server connection close
	2f744fa on write errors, close ClientConn before returning from RoundTrip
	275be3f deflake TestTransportReqBodyAfterResponse_200
	d26011a close the Request's Body when aborting a stream
	e5dd05d return unexpected eof on empty response with non-zero content length
	640e170 don't rely on system TCP buffer sizes in TestServer_MaxQueuedControlFrames
	198b78c detect write-blocked PING frames
	20ed279 avoid race in TestTransportReqBodyAfterResponse_403.
	d585ef0 avoid clientConnPool panic when NewClientConn fails
	d06dfc7 avoid extra GetConn trace call
	1760f31 refactor request write flow
	6e87631 remove PingTimeout from TestTransportPingWhenReading
	b843c7d fix Transport connection pool TOCTOU max concurrent stream bug
	ab1d67c shut down idle Transport connections after protocol errors
	3741e47 remove check for read-after-close of request bodies
	2df4c53 fix race in DATA frame padding refund
	d7eefc9 avoid blocking while holding ClientConn.mu
	78e8d65 fix off-by-one error in client check for max concurrent streams
	828651b close request body after early RoundTrip failures
	59c0c25 limit client initial MAX_CONCURRENT_STREAMS
	524fcad make Transport not reuse conns after a stream protocol error
	0fe5f8a accept zero-length block fragments in HEADERS frames
	0e5043f close the request body if needed
	bb4ce86 reduce frameScratchBuffer caching aggressiveness
	3112343 also set "http/1.1" ALPN in ConfigureServer
	63939f4 switch to ASCII equivalents of string functions
	54161af use (*tls.Dialer).DialContext in dialTLS
	75b906f discard DATA frames with higher stream IDs during graceful shutdown
	1dfe517 rework Ping test to rely less on timing

By doing:

	$ go get -d golang.org/x/net@internal-branch.go1.16-vendor
	go get: upgraded golang.org/x/net v0.0.0-20210901185431-d2e9a4ea682f => v0.0.0-20211101194150-d8c3cde3c676
	$ go mod tidy
	$ go mod vendor
	$ go generate -run=bundle std

Fixes #49076.
Fixes #48822.
Fixes #48649.

Change-Id: Ie17f327eef2b6e6a9a1ac7635c5c4daef792e893
Reviewed-on: https://go-review.googlesource.com/c/go/+/359774
Trust: Dmitri Shuralyov <dmitshur@golang.org>
Run-TryBot: Dmitri Shuralyov <dmitshur@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>

commit d19c5bdb24e093a2d5097b7623284eb02726cede [browse]
Author: Roland Shoemaker
Date: 2021-10-14 13:02:01 -07:00

[release-branch.go1.16] debug/macho: fail on invalid dynamic symbol table command

Fail out when loading a file that contains a dynamic symbol table
command that indicates a larger number of symbols than exist in the
loaded symbol table.

Thanks to Burak Çarıkçı - Yunus Yıldırım (CT-Zer0 Crypttech) for
reporting this issue.

Updates #48990
Fixes #48991
Fixes CVE-2021-41771

Change-Id: Ic3d6e6529241afcc959544b326b21b663262bad5
Reviewed-on: https://go-review.googlesource.com/c/go/+/355990
Reviewed-by: Julie Qiu <julie@golang.org>
Reviewed-by: Katie Hockman <katie@golang.org>
Reviewed-by: Emmanuel Odeke <emmanuel@orijtech.com>
Run-TryBot: Roland Shoemaker <roland@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Trust: Katie Hockman <katie@golang.org>
(cherry picked from commit 61536ec03063b4951163bd09609c86d82631fa27)
Reviewed-on: https://go-review.googlesource.com/c/go/+/359454
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>

commit 900443349b17bb1f989daa64856546955c70d104 [browse]
Author: Richard Musiol
Date: 2021-10-24 12:28:18 +02:00

[release-branch.go1.16] cmd/link: increase reserved space for passing env on wasm

On wasm, the wasm_exec.js helper passes the command line arguments and
environment variables via a reserved space in the wasm linear memory.
Increase this reserved space from 4096 to 8192 bytes so more environment
variables can fit into the limit.

Later, after https://golang.org/cl/350737 landed, we can switch to the
WASI interface for getting the arguments and environment. This would
remove the limit entirely.

Updates #49011.
Fixes #49153.

Change-Id: I48a6e952a97d33404ed692c98e9b49c5cd6b269b
Reviewed-on: https://go-review.googlesource.com/c/go/+/358194
Trust: Richard Musiol <neelance@gmail.com>
Run-TryBot: Richard Musiol <neelance@gmail.com>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Cherry Mui <cherryyz@google.com>
(cherry picked from commit 252324e879e32f948d885f787decf8af06f82be9)
Reviewed-on: https://go-review.googlesource.com/c/go/+/359400
Trust: Dmitri Shuralyov <dmitshur@golang.org>
Run-TryBot: Dmitri Shuralyov <dmitshur@golang.org>

clone the repository to get more history