gostls13.git log

commit 439ff996f0ee506fc2eb84b7f11ffc360a6299f2 [browse]
Author: Gopher Robot
Date: 2026-03-05 16:21:14 -08:00

[release-branch.go1.25] go1.25.8

Change-Id: Ibbe87e0b8afcff83ecbf8fc441a2fd4823c999fa
Reviewed-on: https://go-review.googlesource.com/c/go/+/752122
TryBot-Bypass: Gopher Robot <gobot@golang.org>
Reviewed-by: Cherry Mui <cherryyz@google.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Jakub Ciolek <jakub@ciolek.dev>
Auto-Submit: Gopher Robot <gobot@golang.org>

commit a9db31e6d9f280418ce441067f3f9dc0a036e770 [browse]
Author: Roland Shoemaker
Date: 2026-01-09 11:12:01 -08:00

[release-branch.go1.25] html/template: properly escape URLs in meta content attributes

The meta tag can include a content attribute that contains URLs, which
we currently don't escape if they are inserted via a template action.
This can plausibly lead to XSS vulnerabilities if untrusted data is
inserted there, the http-equiv attribute is set to "refresh", and the
content attribute contains an action like `url={{.}}`.

Track whether we are inside of a meta element, if we are inside of a
content attribute, _and_ if the content attribute contains "url=". If
all of those are true, then we will apply the same URL escaping that we
use elsewhere.

Also add a new GODEBUG, htmlmetacontenturlescape, to allow disabling this
escaping for cases where this behavior is considered safe. The behavior
can be disabled by setting htmlmetacontenturlescape=0.

Updates #77954
Fixes #77971
Fixes CVE-2026-27142

Change-Id: I9bbca263be9894688e6ef1e9a8f8d2f4304f5873
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3360
Reviewed-by: Neal Patel <nealpatel@google.com>
Reviewed-by: Nicholas Husin <husin@google.com>
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3644
Reviewed-by: Damien Neil <dneil@google.com>
Commit-Queue: Roland Shoemaker <bracewell@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/752101
Auto-Submit: Gopher Robot <gobot@golang.org>
TryBot-Bypass: Gopher Robot <gobot@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Cherry Mui <cherryyz@google.com>

commit d8174a9500d53784594b198f6195d1fae8dfe803 [browse]
Author: Ian Alexander
Date: 2026-01-28 15:29:52 -05:00

[release-branch.go1.25] net/url: reject IPv6 literal not at start of host

This change rejects IPv6 literals that do not appear at the start of the
host subcomponent of a URL.

For example:
  http://example.com[::1] -> rejects
  http://[::1]            -> accepts

Thanks to Masaki Hara (https://github.com/qnighy) of Wantedly.

Updates #77578
Fixes #77969
Fixes CVE-2026-25679

Change-Id: I7109031880758f7c1eb4eca513323328feace33c
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3400
Reviewed-by: Neal Patel <nealpatel@google.com>
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3642
Reviewed-on: https://go-review.googlesource.com/c/go/+/752100
Reviewed-by: Cherry Mui <cherryyz@google.com>
Auto-Submit: Gopher Robot <gobot@golang.org>
TryBot-Bypass: Gopher Robot <gobot@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>

commit 4091800393d254befde3770fd16f51200ebd5a3d [browse]
Author: Damien Neil
Date: 2026-02-26 09:54:33 -08:00

[release-branch.go1.25] os: avoid escape from Root via ReadDir or Readdir

When reading the contents of a directory using
File.ReadDir or File.Readdir, the os.FileInfo was
populated on Unix platforms using lstat.
This lstat call is vulnerable to a TOCTOU race
and could escape the root.

For example:
  - Open the directory "dir" within a Root.
    This directory contains a file named "file".
  - Use File.ReadDir to list the contents of "dir",
    receiving a os.DirEntry for "dir/file".
  - Replace "dir" with a symlink to "/etc".
  - Use DirEntry.Info to retrieve the FileInfo for "dir/file".
    This FileInfo contains information on "/etc/file" instead.

This escape permits identifying the presence or absence of
files outside a Root, as well as retreiving stat metadata
(size, mode, modification time, etc.) for files outside a Root.

This escape does not permit reading or writing to files
outside a Root.

For #77827
Fixes #77833
Fixes CVE-2026-27139

Change-Id: I40004f830c588e516aff8ee593d630d36a6a6964
Reviewed-on: https://go-review.googlesource.com/c/go/+/749480
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Nicholas Husin <husin@google.com>
Reviewed-by: Nicholas Husin <nsh@golang.org>
Auto-Submit: Damien Neil <dneil@google.com>
(cherry picked from commit 657ed934e85dc575aad51356c4b437961e7c1313)
Reviewed-on: https://go-review.googlesource.com/c/go/+/749920

commit 0ee4ab4c3f4f02ed9edee4e2479ced7177d5b03b [browse]
Author: Michal Pristas
Date: 2026-02-13 18:19:04 Z

[release-branch.go1.25] internal/syscall/windows: correct some enums and syscall signatures

This CL corrects code submitted in CL 741040.

Fixes #77406

Change-Id: I1c22c1a9f77028f3c2a8e3905f2ec5b071b5445e
GitHub-Last-Rev: 2bfb07310b4707484b5bdce96ad367db567741c4
GitHub-Pull-Request: golang/go#77525
Reviewed-on: https://go-review.googlesource.com/c/go/+/743780
Reviewed-by: Junyang Shao <shaojunyang@google.com>
Reviewed-by: Alex Brainman <alex.brainman@gmail.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Mark Freeman <markfreeman@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/749440
Reviewed-by: David Chase <drchase@google.com>
Auto-Submit: Mark Freeman <markfreeman@google.com>

clone the repository to get more history