gostls13.git log

commit e87b10ea2a2c6c65b80c4374af42b9c02ac9fb20 [browse]
Author: Gopher Robot
Date: 2026-03-05 16:19:54 -08:00

[release-branch.go1.26] go1.26.1

Change-Id: Ia2366ca54412a0e31c3838f71f302e2e7f26260e
Reviewed-on: https://go-review.googlesource.com/c/go/+/752121
Auto-Submit: Gopher Robot <gobot@golang.org>
Reviewed-by: Jakub Ciolek <jakub@ciolek.dev>
TryBot-Bypass: Gopher Robot <gobot@golang.org>
Reviewed-by: Cherry Mui <cherryyz@google.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>

commit e792d6aa952dbfdd3e8eac6f7abc3efd9df09030 [browse]
Author: Roland Shoemaker
Date: 2026-02-11 14:49:13 -08:00

[release-branch.go1.26] crypto/x509: fix name constraint checking panic

Apparently we allow empty dNSName SANs (e.g. a domain name of ""), which
causes the excluded domain name wildcard checking to panic, because we
assume names are always non-empty. RFC 5280 appears to say the empty
string should not be accepted, although confusingly refers to this as
" " (a single space). We should probably not allow that when creating
certificates, and possibly when creating them as well (1.27 I guess).

Thanks to Jakub Ciolek for reporting this issue.

Updates #77953
Fixes #77974
Fixes CVE-2026-27138

Change-Id: I4fb213a5450470969a7436cba09b71fd1755a6af
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3420
Reviewed-by: Neal Patel <nealpatel@google.com>
Reviewed-by: Nicholas Husin <husin@google.com>
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3621
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/752083
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
TryBot-Bypass: Gopher Robot <gobot@golang.org>
Auto-Submit: Gopher Robot <gobot@golang.org>
Reviewed-by: Cherry Mui <cherryyz@google.com>

commit a761c9ff70fec8e1089897eebd104a8f31cff2d3 [browse]
Author: Roland Shoemaker
Date: 2026-02-11 15:16:38 -08:00

[release-branch.go1.26] crypto/x509: fix full email constraint matching

For full email addresses (local@domain), we stored a map between the
case sensitive local portion to the case insensitive domain portion, and
used that to check if a email SAN matched the constraint. This could be
abused, because it was a map[string]string, meaning if any two
constraints had the same local portion but different domains, the second
would overwrite the first.

Change the map from map[string]string to map[rfc2821Mailbox]struct{},
where the domain portion of the mailbox is lowercased. When checking for
a match we then check the parsed mailbox against the map, lowercasing
the domain portion of the query when we initially parse the address.
This gives us the same functionality as before, but without the
possibility of one constraint overwriting another.

Thanks to Jakub Ciolek for reporting this issue.

Updates #77952
Fixes #77973
Fixes CVE-2026-27137

Change-Id: Ia405209be6f3b87cf4ac220a645467418dc41805
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3440
Reviewed-by: Neal Patel <nealpatel@google.com>
Reviewed-by: Nicholas Husin <husin@google.com>
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3620
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/752082
TryBot-Bypass: Gopher Robot <gobot@golang.org>
Auto-Submit: Gopher Robot <gobot@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Cherry Mui <cherryyz@google.com>

commit 994692847a2cd3efd319f0cb61a07c0012c8a4ff [browse]
Author: Roland Shoemaker
Date: 2026-01-09 11:12:01 -08:00

[release-branch.go1.26] html/template: properly escape URLs in meta content attributes

The meta tag can include a content attribute that contains URLs, which
we currently don't escape if they are inserted via a template action.
This can plausibly lead to XSS vulnerabilities if untrusted data is
inserted there, the http-equiv attribute is set to "refresh", and the
content attribute contains an action like `url={{.}}`.

Track whether we are inside of a meta element, if we are inside of a
content attribute, _and_ if the content attribute contains "url=". If
all of those are true, then we will apply the same URL escaping that we
use elsewhere.

Also add a new GODEBUG, htmlmetacontenturlescape, to allow disabling this
escaping for cases where this behavior is considered safe. The behavior
can be disabled by setting htmlmetacontenturlescape=0.

Updates #77954
Fixes #77972
Fixes CVE-2026-27142

Change-Id: I9bbca263be9894688e6ef1e9a8f8d2f4304f5873
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3360
Reviewed-by: Neal Patel <nealpatel@google.com>
Reviewed-by: Nicholas Husin <husin@google.com>
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3643
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/752081
Auto-Submit: Gopher Robot <gobot@golang.org>
Reviewed-by: Cherry Mui <cherryyz@google.com>
TryBot-Bypass: Gopher Robot <gobot@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>

commit 65c7d7a9fb3a9d1fbf1e702a211b8cc3a7bedb53 [browse]
Author: Ian Alexander
Date: 2026-01-28 15:29:52 -05:00

[release-branch.go1.26] net/url: reject IPv6 literal not at start of host

This change rejects IPv6 literals that do not appear at the start of the
host subcomponent of a URL.

For example:
  http://example.com[::1] -> rejects
  http://[::1]            -> accepts

Thanks to Masaki Hara (https://github.com/qnighy) of Wantedly.

Updates #77578
Fixes #77970
Fixes CVE-2026-25679

Change-Id: I7109031880758f7c1eb4eca513323328feace33c
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3400
Reviewed-by: Neal Patel <nealpatel@google.com>
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3622
Reviewed-on: https://go-review.googlesource.com/c/go/+/752080
Auto-Submit: Gopher Robot <gobot@golang.org>
TryBot-Bypass: Gopher Robot <gobot@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Cherry Mui <cherryyz@google.com>

clone the repository to get more history