gostls13.git log

commit 8707f31c0abc6b607014e843b7cc188b3019daa9 [browse]
Author: Chris Broadfoot
Date: 2016-07-21 14:06:27 -07:00

go1.7rc3

Change-Id: Iaef13003979c68926c260c415d6074a50ae137b2
Reviewed-on: https://go-review.googlesource.com/25142
Run-TryBot: Chris Broadfoot <cbro@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>

commit 16a2af03f17e5b2bcf468442e66ef7a99ae55c70 [browse]
Author: Chris Broadfoot
Date: 2016-07-21 12:38:13 -07:00

all: merge master into release-branch.go1.7

Change-Id: I2511c3f7583887b641c9b3694aae54789fbc5342

commit 0ebf6ce087388cdd501a02ff92f2f8cafc3e1378 [browse]
Author: Chris Broadfoot
Date: 2016-07-18 08:19:17 -07:00

[release-branch.go1.7] go1.7rc2

Change-Id: I5473071f672f8352fbd3352e158d5be12823b58a
Reviewed-on: https://go-review.googlesource.com/25017
Run-TryBot: Chris Broadfoot <cbro@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>

commit cad4e97af8f2e0b9f09b97f67fb3a89ced2e9021 [browse]
Author: Brad Fitzpatrick
Date: 2016-07-18 06:05:24 Z

[release-branch.go1.7] net/http, net/http/cgi: fix for CGI + HTTP_PROXY security issue

Because,

* The CGI spec defines that incoming request header "Foo: Bar" maps to
  environment variable HTTP_FOO == "Bar". (see RFC 3875 4.1.18)

* The HTTP_PROXY environment variable is conventionally used to configure
  the HTTP proxy for HTTP clients (and is respected by default for
  Go's net/http.Client and Transport)

That means Go programs running in a CGI environment (as a child
process under a CGI host) are vulnerable to an incoming request
containing "Proxy: attacker.com:1234", setting HTTP_PROXY, and
changing where Go by default proxies all outbound HTTP requests.

This is CVE-2016-5386, aka https://httpoxy.org/

Fixes #16405

Change-Id: I6f68ade85421b4807785799f6d98a8b077e871f0
Reviewed-on: https://go-review.googlesource.com/25010
Run-TryBot: Chris Broadfoot <cbro@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Chris Broadfoot <cbro@golang.org>
Reviewed-on: https://go-review.googlesource.com/25013

commit 53da5fd4d431881bb3583c9790db7735a6530a1b [browse]
Author: Ian Lance Taylor
Date: 2016-07-07 16:41:29 -07:00

[release-branch.go1.7] runtime: fix nanotime for macOS Sierra

In the beta version of the macOS Sierra (10.12) release, the
gettimeofday system call changed on x86. Previously it always returned
the time in the AX/DX registers. Now, if AX is returned as 0, it means
that the system call has stored the values into the memory pointed to by
the first argument, just as the libc gettimeofday function does. The
libc function handles both cases, and we need to do so as well.

Fixes #16272.

Change-Id: Ibe5ad50a2c5b125e92b5a4e787db4b5179f6b723
Reviewed-on: https://go-review.googlesource.com/24812
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Reviewed-on: https://go-review.googlesource.com/24755
Reviewed-by: Chris Broadfoot <cbro@golang.org>

clone the repository to get more history