gostls13.git log

commit d375ae50633cdf1cd8536f2a199c382f9053b638 [browse]
Author: Gopher Robot
Date: 2025-06-05 11:16:25 -07:00

[release-branch.go1.23] go1.23.10

Change-Id: Id4ed8879352dfe662a0ab96981a8d59e2fd80767
Reviewed-on: https://go-review.googlesource.com/c/go/+/679219
Reviewed-by: Carlos Amedee <carlos@golang.org>
Reviewed-by: Michael Knyszek <mknyszek@google.com>
TryBot-Bypass: Carlos Amedee <carlos@golang.org>

commit b897e97c36cb62629a458bc681723ca733404e32 [browse]
Author: Neal Patel
Date: 2025-05-21 14:11:44 -04:00

[release-branch.go1.23] net/http: strip sensitive proxy headers from redirect requests

Similarly to Authentication entries, Proxy-Authentication entries should be stripped to ensure sensitive information is not leaked on redirects outside of the original domain.

https://fetch.spec.whatwg.org/#authentication-entries

Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for reporting this issue.

Updates golang/go#73816
Fixes golang/go#73905
Fixes CVE-2025-4673

Change-Id: I1615f31977a2fd014fbc12aae43f82692315a6d0
Reviewed-on: https://go-review.googlesource.com/c/go/+/679255
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Michael Knyszek <mknyszek@google.com>

commit c2c89d95516d2a6b51aa1766ed5f76e542ab282c [browse]
Author: Damien Neil
Date: 2025-05-13 15:35:19 -07:00

[release-branch.go1.23] os: don't follow symlinks on Windows when O_CREATE|O_EXCL

(This cherry-pick includes both CL 672396 and CL 676655.)

Match standard Unix behavior: Symlinks are not followed when
O_CREATE|O_EXCL is passed to open.

Thanks to Junyoung Park and Dong-uk Kim of KAIST Hacking Lab
for discovering this issue.

For #73702
Fixes #73719
Fixes CVE-2025-0913

Change-Id: Ieb46a6780c5e9a6090b09cd34290f04a8e3b0ca5
Reviewed-on: https://go-review.googlesource.com/c/go/+/672396
Auto-Submit: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Alan Donovan <adonovan@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/677195
TryBot-Bypass: Michael Knyszek <mknyszek@google.com>
Reviewed-by: Michael Knyszek <mknyszek@google.com>

commit 8eeb1340b230321dc3b797e4b9836cc5ef8f316d [browse]
Author: Cherry Mui
Date: 2025-05-21 14:32:21 -04:00

[release-branch.go1.23] cmd/link: allow linkname reference to a TEXT symbol regardless of size

In CL 660696, we made the linker to choose the symbol of the
larger size in case there are multiple contentless declarations of
the same symbol. We also made it emit an error in the case that
there are a contentless declaration of a larger size and a
definition with content of a smaller size. In this case, we should
choose the definition with content, but the code accesses it
through the declaration of the larger size could fall into the
next symbol, potentially causing data corruption. So we disallowed
it.

There is one spcial case, though, that some code uses a linknamed
variable declaration to reference a function in assembly, in order
to take its address. The variable is often declared as uintptr.
The function symbol is the definition, which could sometimes be
shorter. This would trigger the error case above, causing existing
code failing to build.

This CL allows it as a special case. It is still not safe to
access the variable's content. But it is actually okay to just
take its address, which the existing code often do.

Updates #73617.
Fixes #73831.

Change-Id: I467381bc5f6baa16caee6752a0a824c7185422f6
Reviewed-on: https://go-review.googlesource.com/c/go/+/676636
Reviewed-by: David Chase <drchase@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
(cherry picked from commit 70109eb32625487d9c774d602a4fa2422e218f1b)
Reviewed-on: https://go-review.googlesource.com/c/go/+/676958
TryBot-Bypass: Cherry Mui <cherryyz@google.com>

commit 4ca7c01706ad6da07aed882528e595a39edd085b [browse]
Author: Sean Liao
Date: 2024-07-12 20:56:19 +01:00

[release-branch.go1.23] runtime/debug: document DefaultGODEBUG as a BuildSetting

For #66465
Fixes #73677

Change-Id: I60c017ddba29fa5b452b665d8521cd6c8e20438c
Reviewed-on: https://go-review.googlesource.com/c/go/+/597979
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Jorropo <jorropo.pgm@gmail.com>
Auto-Submit: Ian Lance Taylor <iant@google.com>
Reviewed-by: qiu laidongfeng2 <2645477756@qq.com>
Reviewed-by: Ian Lance Taylor <iant@google.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
(cherry picked from commit c4136a433c28eb12abad777f8e74087ecf6e21f4)
Reviewed-on: https://go-review.googlesource.com/c/go/+/671936
Reviewed-by: Sean Liao <sean@liao.dev>
TryBot-Bypass: Dmitri Shuralyov <dmitshur@golang.org>
Reviewed-by: Michael Knyszek <mknyszek@google.com>
TryBot-Bypass: Michael Knyszek <mknyszek@google.com>

clone the repository to get more history