gostls13.git log

commit 7f40c1214dd67cf171a347a5230da70bd8e10d32 [browse]
Author: Chris Broadfoot
Date: 2017-10-04 11:37:20 -07:00

[release-branch.go1.9] go1.9.1

Change-Id: I711b38738a7f6fade42a2821908234940f3cf280
Reviewed-on: https://go-review.googlesource.com/68233
Reviewed-by: Russ Cox <rsc@golang.org>

commit 598433b17ab4c4edf569b98ebd0a2dcb62a22f49 [browse]
Author: Chris Broadfoot
Date: 2017-10-04 11:09:15 -07:00

[release-branch.go1.9] doc: document go1.9.1 and go1.8.4

Change-Id: Ib42fabc6829b6033373c0378713733f88e73e73d
Reviewed-on: https://go-review.googlesource.com/68230
Reviewed-by: Russ Cox <rsc@golang.org>
Reviewed-on: https://go-review.googlesource.com/68231
Reviewed-by: Chris Broadfoot <cbro@golang.org>

commit 815cad3ed026c904b5b54a45c5e044b9a1f4538c [browse]
Author: Tom Bergan
Date: 2017-08-28 11:09:37 -07:00

[release-branch.go1.9] doc/1.9: add mention of net/http.LocalAddrContextKey

Fixes #21603

Reviewed-on: https://go-review.googlesource.com/59530
Reviewed-by: Ian Lance Taylor <iant@golang.org>
Reviewed-on: https://go-review.googlesource.com/59670
Reviewed-by: Chris Broadfoot <cbro@golang.org>
Reviewed-by: Tom Bergan <tombergan@google.com>

Change-Id: Ie9732d57948593dc0306a4a649664eedb3de370c
Reviewed-on: https://go-review.googlesource.com/68232
Reviewed-by: Chris Broadfoot <cbro@golang.org>

commit 1900d34a1042834712c04b4492e573421d965df2 [browse]
Author: Russ Cox
Date: 2017-10-04 13:24:49 -04:00

[release-branch.go1.9] net/smtp: fix PlainAuth to refuse to send passwords to non-TLS servers

PlainAuth originally refused to send passwords to non-TLS servers
and was documented as such.

In 2013, issue #5184 was filed objecting to the TLS requirement,
despite the fact that it is spelled out clearly in RFC 4954.
The only possibly legitimate use case raised was using PLAIN auth
for connections to localhost, and the suggested fix was to let the
server decide: if it advertises that PLAIN auth is OK, believe it.
That approach was adopted in CL 8279043 and released in Go 1.1.

Unfortunately, this is exactly wrong. The whole point of the TLS
requirement is to make sure not to send the password to the wrong
server or to a man-in-the-middle. Instead of implementing this rule,
CL 8279043 blindly trusts the server, so that if a man-in-the-middle
says "it's OK, you can send me your password," PlainAuth does.
And the documentation was not updated to reflect any of this.

This CL restores the original TLS check, as required by RFC 4954
and as promised in the documentation for PlainAuth.
It then carves out a documented exception for connections made
to localhost (defined as "localhost", "127.0.0.1", or "::1").

Cherry-pick of CL 68170.

Change-Id: I1d3729bbd33aa2f11a03f4c000e6bb473164957b
Reviewed-on: https://go-review.googlesource.com/68210
Run-TryBot: Russ Cox <rsc@golang.org>
Reviewed-by: Chris Broadfoot <cbro@golang.org>

commit a39bcecea6660d3c6d9770516df441c3f8fc47f5 [browse]
Author: Russ Cox
Date: 2017-09-22 12:17:21 -04:00

[release-branch.go1.9] cmd/go: reject update of VCS inside VCS

Cherry-pick of CL 68110.

Change-Id: Iae84c6404ab5eeb6950faa2364f97a017c67c506
Reviewed-on: https://go-review.googlesource.com/68022
Run-TryBot: Russ Cox <rsc@golang.org>
Reviewed-by: Chris Broadfoot <cbro@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>

clone the repository to get more history