gostls13.git log

commit 324c3ace2d2e4e30949baa23b4c9aac8a4123317 [browse]
Author: Gopher Robot
Date: 2023-05-02 16:59:18 Z

[release-branch.go1.20] go1.20.4

Change-Id: I12cd69dd6b1c7c9620738a0d89b10e0a330a3004
Reviewed-on: https://go-review.googlesource.com/c/go/+/491435
Run-TryBot: Gopher Robot <gobot@golang.org>
Auto-Submit: Gopher Robot <gobot@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Carlos Amedee <carlos@golang.org>

commit 337dd75343145b74ed2073d793322eb4103b56ad [browse]
Author: Roland Shoemaker
Date: 2023-04-13 14:01:50 -07:00

[release-branch.go1.20] html/template: emit filterFailsafe for empty unquoted attr value

An unquoted action used as an attribute value can result in unsafe
behavior if it is empty, as HTML normalization will result in unexpected
attributes, and may allow attribute injection. If executing a template
results in a empty unquoted attribute value, emit filterFailsafe
instead.

Thanks to Juho Nurminen of Mattermost for reporting this issue.

For #59722
Fixes #59816
Fixes CVE-2023-29400

Change-Id: Ia38d1b536ae2b4af5323a6c6d861e3c057c2570a
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1826631
Reviewed-by: Julie Qiu <julieqiu@google.com>
Run-TryBot: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1851494
Run-TryBot: Damien Neil <dneil@google.com>
Reviewed-by: Roland Shoemaker <bracewell@google.com>
TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/491358
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Run-TryBot: Carlos Amedee <carlos@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>

commit 4a28cad66655ee01c6e944271e23c33cab021765 [browse]
Author: Roland Shoemaker
Date: 2023-04-11 16:27:43 +01:00

[release-branch.go1.20] html/template: handle all JS whitespace characters

Rather than just a small set. Character class as defined by \s [0].

Thanks to Juho Nurminen of Mattermost for reporting this.

For #59721
Fixes #59814
Fixes CVE-2023-24540

[0] https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions/Character_Classes

Change-Id: I56d4fa1ef08125b417106ee7dbfb5b0923b901ba
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1821459
Reviewed-by: Julie Qiu <julieqiu@google.com>
Run-TryBot: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1851493
TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
Run-TryBot: Damien Neil <dneil@google.com>
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/491356
Run-TryBot: Carlos Amedee <carlos@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>

commit 090590fdccc8442728aa31601927da1bf2ef1288 [browse]
Author: Roland Shoemaker
Date: 2023-04-13 15:40:44 -07:00

[release-branch.go1.20] html/template: disallow angle brackets in CSS values

Angle brackets should not appear in CSS contexts, as they may affect
token boundaries (such as closing a <style> tag, resulting in
injection). Instead emit filterFailsafe, matching the behavior for other
dangerous characters.

Thanks to Juho Nurminen of Mattermost for reporting this issue.

For #59720
Fixes #59812
Fixes CVE-2023-24539

Change-Id: Iccc659c9a18415992b0c05c178792228e3a7bae4
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1826636
Reviewed-by: Julie Qiu <julieqiu@google.com>
Run-TryBot: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1851492
Run-TryBot: Damien Neil <dneil@google.com>
Reviewed-by: Roland Shoemaker <bracewell@google.com>
TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/491336
Run-TryBot: Carlos Amedee <carlos@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>

commit 25b4f4062589a349117aaf52edf8db8ffa68773b [browse]
Author: Damien Neil
Date: 2023-04-05 10:19:44 -07:00

[release-branch.go1.20] Revert "net/http: FileServer method check + minimal OPTIONS implementation"

This reverts https://go.dev/cl/413554

Reason for revert: Backwards-incompatible change in behavior.

For #53501
For #59375
Fixes #59469

Change-Id: Ic3f63b378f9c819599b32e5e6e410f6163849317
Reviewed-on: https://go-review.googlesource.com/c/go/+/482635
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Run-TryBot: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
(cherry picked from commit c02fa75086dbc6db0d90f477e7b4c839140fdeb2)
Reviewed-on: https://go-review.googlesource.com/c/go/+/488635
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>

clone the repository to get more history