gostls13.git log

commit 357c9141369361101345f3048a6b2b3e149299d5 [browse]
Author: Russ Cox
Date: 2018-02-07 09:23:18 -05:00

[release-branch.go1.8] go1.8.7

Change-Id: Ida9b4f44033f33657dad213f65b0c85ad89b08a7
Reviewed-on: https://team-review.git.corp.google.com/213169
Reviewed-by: Andrew Bonventre <andybons@google.com>

commit 9574ce9cf6902560f4970eb3da7ae0632205ba80 [browse]
Author: Russ Cox
Date: 2018-02-07 09:22:32 -05:00

[release-branch.go1.8] doc: document Go 1.8.7

Change-Id: I7ea97312bdf489c2833b1823dd633eb55f3bcd72
Reviewed-on: https://team-review.git.corp.google.com/213168
Reviewed-by: Andrew Bonventre <andybons@google.com>

commit 44821583bc16ff2508664fab94360bb856e9e9d6 [browse]
Author: Russ Cox
Date: 2018-02-05 23:12:50 -05:00

[release-branch.go1.8] cmd/go: accept only limited compiler and linker flags in #cgo directives

Both gcc and clang accept an option -fplugin=code.so to load
a plugin from the ELF shared object file code.so.
Obviously that plugin can then do anything it wants
during the build. This is contrary to the goal of "go get"
never running untrusted code during the build.
(What happens if you choose to run the result of
the build is your responsibility.)

Disallow this behavior by only allowing a small set of
known command-line flags in #cgo CFLAGS directives
(and #cgo LDFLAGS, etc).

The new restrictions can be adjusted by the environment
variables CGO_CFLAGS_ALLOW, CGO_CFLAGS_DISALLOW,
and so on. See the documentation.

In addition to excluding cgo-defined flags, we also have to
make sure that when we pass file names on the command
line, they don't look like flags. So we now refuse to build
packages containing suspicious file names like -x.go.

A wrinkle in all this is that GNU binutils uniformly accept
@foo on the command line to mean "if the file foo exists,
then substitute its contents for @foo in the command line".
So we must also reject @x.go, flags and flag arguments
beginning with @, and so on.

Fixes #23674, CVE-2018-6574.

Change-Id: I59e7c1355155c335a5c5ae0d2cf8fa7aa313940a
Reviewed-on: https://team-review.git.corp.google.com/212688
Reviewed-by: Ian Lance Taylor <iant@google.com>

commit 96c72e94687d1d78770a204f35993cb2cd3c91e4 [browse]
Author: Andrew Bonventre
Date: 2018-01-22 22:12:44 -05:00

[release-branch.go1.8] go1.8.6

Change-Id: I0aeac01cb7a4329129351d3175f11a0a50b7466c
Reviewed-on: https://go-review.googlesource.com/89195
Run-TryBot: Andrew Bonventre <andybons@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Andrew Bonventre <andybons@golang.org>

commit 89e6a4d6d0a0e89e6e3e2e387d8a45f0eafa751b [browse]
Author: Andrew Bonventre
Date: 2018-01-22 21:01:18 -05:00

[release-branch.go1.8] doc: document Go 1.8.6

Update golang/go#23515

Change-Id: Id334d8663bf4cbb68f224d1bba4c9ad3855f8aae
Reviewed-on: https://go-review.googlesource.com/89155
Reviewed-by: Andrew Gerrand <adg@golang.org>
Reviewed-on: https://go-review.googlesource.com/89157
Run-TryBot: Andrew Bonventre <andybons@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Andrew Bonventre <andybons@golang.org>

clone the repository to get more history