gostls13.git log

commit f58c78a5771570667b26e8c74faa017bd4c2c448 [browse]
Author: Than McIntosh
Date: 2021-11-04 09:00:47 -04:00

[release-branch.go1.17] go1.17.3

Change-Id: Iaf0b58846a9641525f43f4dc64962c13c0c7e8e3
Reviewed-on: https://go-review.googlesource.com/c/go/+/361200
Trust: Than McIntosh <thanm@google.com>
Run-TryBot: Than McIntosh <thanm@google.com>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>

commit b212ba68296b503b395e7d1838ca72a19030a6bf [browse]
Author: Jason7602
Date: 2021-09-14 21:38:19 +08:00

[release-branch.go1.17] archive/zip: don't panic on (*Reader).Open

Previously, opening a zip with (*Reader).Open could result in a panic if
the zip contained a file whose name was exclusively made up of slash
characters or ".." path elements.

Open could also panic if passed the empty string directly as an argument.

Now, any files in the zip whose name could not be made valid for
fs.FS.Open will be skipped, and no longer added to the fs.FS file list,
although they are still accessible through (*Reader).File.

Note that it was already the case that a file could be accessible from
(*Reader).Open with a name different from the one in (*Reader).File, as
the former is the cleaned name, while the latter is the original one.

Finally, made the actual panic site robust as a defense-in-depth measure.

Fixes CVE-2021-41772
Fixes #48252
Updates #48085

Co-authored-by: Filippo Valsorda <filippo@golang.org>
Change-Id: I6271a3f2892e7746f52e213b8eba9a1bba974678
Reviewed-on: https://go-review.googlesource.com/c/go/+/349770
Run-TryBot: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Katie Hockman <katie@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Trust: Katie Hockman <katie@golang.org>
Trust: Julie Qiu <julie@golang.org>
(cherry picked from commit b24687394b55a93449e2be4e6892ead58ea9a10f)
Reviewed-on: https://go-review.googlesource.com/c/go/+/360859
Trust: Dmitri Shuralyov <dmitshur@golang.org>
Run-TryBot: Dmitri Shuralyov <dmitshur@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>

commit f9cb33c7c9d48fd0c38d17a659d5e968de648d40 [browse]
Author: Dmitri Shuralyov
Date: 2021-10-29 14:16:47 -04:00

[release-branch.go1.17] net/http: update bundled golang.org/x/net/http2

Pull in approved backports to golang.org/x/net/http2:

	95aca89 set ContentLength to -1 for HEAD response with no Content-Length
	bd5b1b8 set Response.ContentLength to 0 when headers end stream
	27001ec don't abort half-closed streams on server connection close
	f0a8156 on write errors, close ClientConn before returning from RoundTrip
	9a182eb deflake TestTransportReqBodyAfterResponse_200
	821db7b close the Request's Body when aborting a stream
	028e125 return unexpected eof on empty response with non-zero content length
	5388f2f don't rely on system TCP buffer sizes in TestServer_MaxQueuedControlFrames
	fc298ce detect write-blocked PING frames
	e96ad84 avoid race in TestTransportReqBodyAfterResponse_403.
	7f15435 avoid clientConnPool panic when NewClientConn fails
	9572bae avoid extra GetConn trace call
	b04064c refactor request write flow
	7e165c9 remove PingTimeout from TestTransportPingWhenReading
	ef976fc fix Transport connection pool TOCTOU max concurrent stream bug
	1d9597c shut down idle Transport connections after protocol errors
	c173d09 remove check for read-after-close of request bodies
	466a463 fix race in DATA frame padding refund
	4028c5f avoid blocking while holding ClientConn.mu
	b91f72d fix off-by-one error in client check for max concurrent streams
	21e6c63 close request body after early RoundTrip failures
	e79adf9 limit client initial MAX_CONCURRENT_STREAMS
	c0c2bc5 make Transport not reuse conns after a stream protocol error
	14c0235 accept zero-length block fragments in HEADERS frames
	0d2c43c close the request body if needed
	5627bb0 reduce frameScratchBuffer caching aggressiveness
	c9f4fb0 also set "http/1.1" ALPN in ConfigureServer

By doing:

	$ go get -d golang.org/x/net@internal-branch.go1.17-vendor
	go get: upgraded golang.org/x/net v0.0.0-20210901185426-6d2eada6345e => v0.0.0-20211101194204-95aca89e93de
	$ go mod tidy
	$ go mod vendor
	$ go generate -run=bundle std

Fixes #49077.
Fixes #48823.
Fixes #48650.

Change-Id: Idb972ba5313080626b60b4111d52b80197364ff4
Reviewed-on: https://go-review.googlesource.com/c/go/+/359776
Trust: Dmitri Shuralyov <dmitshur@golang.org>
Run-TryBot: Dmitri Shuralyov <dmitshur@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
TryBot-Result: Go Bot <gobot@golang.org>

commit 4a842985bf3f71d93a2b1340d9d6685bebc12b6b [browse]
Author: Roland Shoemaker
Date: 2021-10-14 13:02:01 -07:00

[release-branch.go1.17] debug/macho: fail on invalid dynamic symbol table command

Fail out when loading a file that contains a dynamic symbol table
command that indicates a larger number of symbols than exist in the
loaded symbol table.

Thanks to Burak Çarıkçı - Yunus Yıldırım (CT-Zer0 Crypttech) for
reporting this issue.

Updates #48990
Fixes #48992
Fixes CVE-2021-41771

Change-Id: Ic3d6e6529241afcc959544b326b21b663262bad5
Reviewed-on: https://go-review.googlesource.com/c/go/+/355990
Reviewed-by: Julie Qiu <julie@golang.org>
Reviewed-by: Katie Hockman <katie@golang.org>
Reviewed-by: Emmanuel Odeke <emmanuel@orijtech.com>
Run-TryBot: Roland Shoemaker <roland@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Trust: Katie Hockman <katie@golang.org>
(cherry picked from commit 61536ec03063b4951163bd09609c86d82631fa27)
Reviewed-on: https://go-review.googlesource.com/c/go/+/359455
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>

commit f6f024f1209d99dec79ae2aeb9d50677d627ffd6 [browse]
Author: Russ Cox
Date: 2021-10-27 22:59:55 -04:00

[release-branch.go1.17] cmd/go: update for //go:build lines

cmd/go has its own //go:build evaluator, which is needed for
patterns like 'all'. The code is a modified copy of some unexported
routines from the go/build package. Update it by copying those
again and re-modifying them. The modifications are primarily the new
func eval and also ignoring errors.

This CL will need to be backported to Go 1.17, or else Go 1.17
will break when faced with certain //go:build-only repos during
'go list all' or 'go mod tidy'.

For #41184.
Fixes #49198.

Change-Id: Ie0fe3caa8d49004935ecd76d7977f767fe50e317
Reviewed-on: https://go-review.googlesource.com/c/go/+/359355
Trust: Russ Cox <rsc@golang.org>
Run-TryBot: Russ Cox <rsc@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Bryan C. Mills <bcmills@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/359404

clone the repository to get more history