gostls13.git log

commit 6732fcc06df713fc737cee5c5860bad87599bc6d [browse]
Author: Russ Cox
Date: 2018-02-07 09:28:53 -05:00

[release-branch.go1.9] go1.9.4

Change-Id: I2ab24e37b21d4b3275ffaeab3cb27d4e8e276e1e
Reviewed-on: https://team-review.git.corp.google.com/213171
Reviewed-by: Andrew Bonventre <andybons@google.com>

commit 135c5a056ca11bc295454f397a744cbce9d00581 [browse]
Author: Russ Cox
Date: 2018-02-07 09:28:33 -05:00

[release-branch.go1.9] doc: document Go 1.9.4

Change-Id: Ia3e35328d50bbd08948b34e09a9e8bb4f9b07888
Reviewed-on: https://team-review.git.corp.google.com/213170
Reviewed-by: Andrew Bonventre <andybons@google.com>

commit 867fb18b6d5bc73266b68c9a695558a04e060a8a [browse]
Author: Russ Cox
Date: 2018-02-05 23:12:50 -05:00

[release-branch.go1.9] cmd/go: accept only limited compiler and linker flags in #cgo directives

Both gcc and clang accept an option -fplugin=code.so to load
a plugin from the ELF shared object file code.so.
Obviously that plugin can then do anything it wants
during the build. This is contrary to the goal of "go get"
never running untrusted code during the build.
(What happens if you choose to run the result of
the build is your responsibility.)

Disallow this behavior by only allowing a small set of
known command-line flags in #cgo CFLAGS directives
(and #cgo LDFLAGS, etc).

The new restrictions can be adjusted by the environment
variables CGO_CFLAGS_ALLOW, CGO_CFLAGS_DISALLOW,
and so on. See the documentation.

In addition to excluding cgo-defined flags, we also have to
make sure that when we pass file names on the command
line, they don't look like flags. So we now refuse to build
packages containing suspicious file names like -x.go.

A wrinkle in all this is that GNU binutils uniformly accept
@foo on the command line to mean "if the file foo exists,
then substitute its contents for @foo in the command line".
So we must also reject @x.go, flags and flag arguments
beginning with @, and so on.

Fixes #23673, CVE-2018-6574.

Change-Id: I59e7c1355155c335a5c5ae0d2cf8fa7aa313940a
Reviewed-on: https://team-review.git.corp.google.com/212507
Reviewed-by: Ian Lance Taylor <iant@google.com>

commit c03ee1985cb6e4467246a2bdb07bb1c62e05f8e9 [browse]
Author: Andrew Bonventre
Date: 2018-01-22 21:01:18 -05:00

[release-branch.go1.9] doc: document Go 1.8.6

Update golang/go#23515

Change-Id: Id334d8663bf4cbb68f224d1bba4c9ad3855f8aae
Reviewed-on: https://go-review.googlesource.com/89155
Reviewed-by: Andrew Gerrand <adg@golang.org>
(cherry picked from commit 6c27114cedb47e8bd2723416ea0c63d047a2cefc)
Reviewed-on: https://go-review.googlesource.com/89176
Reviewed-by: Andrew Bonventre <andybons@golang.org>

commit a563954b799c6921fc3666b4723d38413f442145 [browse]
Author: Andrew Bonventre
Date: 2018-01-22 15:08:02 -05:00

[release-branch.go1.9] go1.9.3

Change-Id: I9347a78c86dcc13cd5f6f000e788934cb1bda491
Reviewed-on: https://go-review.googlesource.com/89015
Run-TryBot: Andrew Bonventre <andybons@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Andrew Bonventre <andybons@golang.org>

clone the repository to get more history