Comparing changes

…DEBUG settings This change documents the new GODEBUG settings introduced for html/template and mime/multipart, released with Go 1.19.8 and Go 1.20.3 as part of a security fix. Updates #59153. For #59270. Updates #59234. For #59272. Change-Id: I25f4d8245da3301dccccfb44da8ff1a5985392a4 Reviewed-on: https://go-review.googlesource.com/c/go/+/482555 TryBot-Result: Gopher Robot <[email protected]> Auto-Submit: Michael Knyszek <[email protected]> Reviewed-by: Damien Neil <[email protected]> Run-TryBot: Michael Knyszek <[email protected]>

…rd size is 0 Casting to a *uintptr is not ok if there isn't at least 8 bytes of data backing that pointer (on 64-bit archs). So although we end up making a slice of 0 length with that pointer, the cast itself doesn't know that. Instead, bail early if the result is going to be 0 length. Fixes #59336 Change-Id: Id3c0e09d341d838835c0382cccfb0f71dc3dc7e6 Reviewed-on: https://go-review.googlesource.com/c/go/+/480575 Run-TryBot: Keith Randall <[email protected]> Reviewed-by: Cherry Mui <[email protected]> Reviewed-by: Matthew Dempsky <[email protected]> Reviewed-by: Emmanuel Odeke <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Bryan Mills <[email protected]> (cherry picked from commit 297cf6dd31bd99fc4ccda320aa3d4faf290ab278) Reviewed-on: https://go-review.googlesource.com/c/go/+/481238 Reviewed-by: Keith Randall <[email protected]> Auto-Submit: Michael Knyszek <[email protected]> Run-TryBot: Michael Knyszek <[email protected]>

…ype if already set Unified IR already records the correct type for them. Fixes #59450 Change-Id: I275c45b48f67bde55c8e2079d60b5868d0acde7f Reviewed-on: https://go-review.googlesource.com/c/go/+/481555 Reviewed-by: Michael Knyszek <[email protected]> Auto-Submit: Cuong Manh Le <[email protected]> Run-TryBot: Cuong Manh Le <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Matthew Dempsky <[email protected]> Reviewed-on: https://go-review.googlesource.com/c/go/+/482655 Auto-Submit: Michael Knyszek <[email protected]>

Range statement will mutate the key and value, so we should treat them as reassigned. Fixes #59580 Change-Id: I9c6b67d938760a0c6a1d9739f2737c67af4a3a10 Reviewed-on: https://go-review.googlesource.com/c/go/+/483855 Run-TryBot: Wayne Zuo <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Matthew Dempsky <[email protected]> Auto-Submit: Keith Randall <[email protected]> Reviewed-by: Keith Randall <[email protected]> Reviewed-by: Keith Randall <[email protected]> (cherry picked from commit 89567a3) Reviewed-on: https://go-review.googlesource.com/c/go/+/484136 Run-TryBot: Matthew Dempsky <[email protected]>

…ild process If we increased the NOFILE rlimit when starting the program, restore the original rlimit when forking a child process. In CL 393354 the os package was changed to raise the open file rlimit at program start. That code is not inherently tied to the os package. This CL moves it into the syscall package. This is a backport of CLs 476096 and 476097 from trunk. For #46279 Fixes #59064 Change-Id: Ib813de896de0a5d28fa2b29afdf414a89fbe7b2a Reviewed-on: https://go-review.googlesource.com/c/go/+/478659 Run-TryBot: Ian Lance Taylor <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: David Chase <[email protected]> Reviewed-by: Michael Knyszek <[email protected]> Reviewed-by: Tobias Klauser <[email protected]>

…n multi-byte stores Use the type of the store for the byteswap, not the type of the store's value argument. Normally when we're storing a 16-bit value, the value being stored is also typed as 16 bits. But sometimes it is typed as something smaller, usually because it is the result of an upcast from a smaller value, and that upcast needs no instructions. If the type of the store's arg is thinner than the type being stored, and the byteswap'd value uses that thinner type, and the byteswap'd value needs to be spilled & restored, that spill/restore happens using the thinner type, which causes us to lose some of the top bits of the value. Fixes #59374 Change-Id: If6ce1e8a76f18bf8e9d79871b6caa438bc3cce4d Reviewed-on: https://go-review.googlesource.com/c/go/+/481395 Reviewed-by: David Chase <[email protected]> Reviewed-by: Cherry Mui <[email protected]> Run-TryBot: Keith Randall <[email protected]> TryBot-Result: Gopher Robot <[email protected]> (cherry picked from commit b3bc862) Reviewed-on: https://go-review.googlesource.com/c/go/+/483176 Auto-Submit: Dmitri Shuralyov <[email protected]>

CL 440035 added rewrite rules to simplify "costly" LEA instructions, but the types in the rewrites were wrong and the code would go bad if the wrong-typed register was spilled. CL 482536 attempted to fix this by correcting the type in the rewrite, but that "fix" broke something on windows-amd64-race. Instead / for-now, remove the offending rewrite rules. Updates #21735. Updates #59432. Fixes #59468. Change-Id: I0497c42db414f2055e1378e0a53e2bceee9cd5d9 Reviewed-on: https://go-review.googlesource.com/c/go/+/482820 Run-TryBot: David Chase <[email protected]> Reviewed-by: Cherry Mui <[email protected]> TryBot-Result: Gopher Robot <[email protected]> (cherry picked from commit 6a97a60) Reviewed-on: https://go-review.googlesource.com/c/go/+/482164 Auto-Submit: Dmitri Shuralyov <[email protected]> Reviewed-by: Keith Randall <[email protected]> Reviewed-by: Keith Randall <[email protected]>

…d generic types Due to a missing "&& !alias" check, the unified linker was treating type aliases the same as defined types for the purpose of exporting method bodies. The methods will get exported anyway alongside the aliased type, so this mistake is normally harmless. However, if multiple type aliases instantiated the same generic type but with different type arguments, this could result in the same (generic) method body being exported multiple times under different symbol names. Further, because bodies aren't expected to be exported multiple times, we were sorting them simply based on index. And consequently, the sort wasn't total and is sensitive to the map iteration order used while ranging over linker.bodies. The fix is simply to add the missing "&& !alias" check, so that we don't end up with duplicate bodies in the first place. Thanks rsc@ for providing a minimal repro case. Fixes #59585. Change-Id: Iaa55968cc7110b601e2f0f9b620901c2d55f7014 Reviewed-on: https://go-review.googlesource.com/c/go/+/484155 Reviewed-by: Keith Randall <[email protected]> Auto-Submit: Matthew Dempsky <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Run-TryBot: Matthew Dempsky <[email protected]> Reviewed-by: Keith Randall <[email protected]> Reviewed-by: Russ Cox <[email protected]> (cherry picked from commit f58c6cc) Reviewed-on: https://go-review.googlesource.com/c/go/+/484160 Reviewed-by: Dmitri Shuralyov <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]> Auto-Submit: Dmitri Shuralyov <[email protected]>

When server and client have mismatch in curve preference, the server will send HelloRetryRequest during TLSv1.3 PSK resumption. There was a bug introduced by Go1.19.6 or later and Go1.20.1 or later, that makes the client calculate the PSK binder hash incorrectly. Server will reject the TLS handshake by sending alert: invalid PSK binder. For #59424. Fixes #59540. Change-Id: I2ca8948474275740a36d991c057b62a13392dbb9 GitHub-Last-Rev: 1aad9bc GitHub-Pull-Request: #59425 Reviewed-on: https://go-review.googlesource.com/c/go/+/481955 Reviewed-by: Roland Shoemaker <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]> Run-TryBot: Roland Shoemaker <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Auto-Submit: Roland Shoemaker <[email protected]> (cherry picked from commit 2c70690) Reviewed-on: https://go-review.googlesource.com/c/go/+/488055 Auto-Submit: Dmitri Shuralyov <[email protected]> Run-TryBot: Dmitri Shuralyov <[email protected]>

…mmand from build.Default.GOROOT in lookupGorootExport Also set GOROOT explicitly in case it is set to something else in the caller's environment. Updates #59598. Fixes #59637. Change-Id: I5599ed1183b23187fc3b976786f3c320d42ef4f3 Reviewed-on: https://go-review.googlesource.com/c/go/+/484756 Run-TryBot: Bryan Mills <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Auto-Submit: Bryan Mills <[email protected]> Reviewed-by: Michael Matloob <[email protected]> (cherry picked from commit 750e911) Reviewed-on: https://go-review.googlesource.com/c/go/+/484758 Auto-Submit: Dmitri Shuralyov <[email protected]>

…inimal OPTIONS implementation" This reverts https://go.dev/cl/413554 Reason for revert: Backwards-incompatible change in behavior. For #53501 For #59375 Fixes #59469 Change-Id: Ic3f63b378f9c819599b32e5e6e410f6163849317 Reviewed-on: https://go-review.googlesource.com/c/go/+/482635 Reviewed-by: Tatiana Bradley <[email protected]> Run-TryBot: Damien Neil <[email protected]> TryBot-Result: Gopher Robot <[email protected]> (cherry picked from commit c02fa75) Reviewed-on: https://go-review.googlesource.com/c/go/+/488635 Reviewed-by: Dmitri Shuralyov <[email protected]> Auto-Submit: Dmitri Shuralyov <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]>

… values Angle brackets should not appear in CSS contexts, as they may affect token boundaries (such as closing a <style> tag, resulting in injection). Instead emit filterFailsafe, matching the behavior for other dangerous characters. Thanks to Juho Nurminen of Mattermost for reporting this issue. For #59720 Fixes #59812 Fixes CVE-2023-24539 Change-Id: Iccc659c9a18415992b0c05c178792228e3a7bae4 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1826636 Reviewed-by: Julie Qiu <[email protected]> Run-TryBot: Roland Shoemaker <[email protected]> Reviewed-by: Damien Neil <[email protected]> Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1851492 Run-TryBot: Damien Neil <[email protected]> Reviewed-by: Roland Shoemaker <[email protected]> TryBot-Result: Security TryBots <[email protected]> Reviewed-on: https://go-review.googlesource.com/c/go/+/491336 Run-TryBot: Carlos Amedee <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]>

…unquoted attr value An unquoted action used as an attribute value can result in unsafe behavior if it is empty, as HTML normalization will result in unexpected attributes, and may allow attribute injection. If executing a template results in a empty unquoted attribute value, emit filterFailsafe instead. Thanks to Juho Nurminen of Mattermost for reporting this issue. For #59722 Fixes #59816 Fixes CVE-2023-29400 Change-Id: Ia38d1b536ae2b4af5323a6c6d861e3c057c2570a Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1826631 Reviewed-by: Julie Qiu <[email protected]> Run-TryBot: Roland Shoemaker <[email protected]> Reviewed-by: Damien Neil <[email protected]> Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1851494 Run-TryBot: Damien Neil <[email protected]> Reviewed-by: Roland Shoemaker <[email protected]> TryBot-Result: Security TryBots <[email protected]> Reviewed-on: https://go-review.googlesource.com/c/go/+/491358 Reviewed-by: Dmitri Shuralyov <[email protected]> Run-TryBot: Carlos Amedee <[email protected]> TryBot-Result: Gopher Robot <[email protected]>

Change-Id: I12cd69dd6b1c7c9620738a0d89b10e0a330a3004 Reviewed-on: https://go-review.googlesource.com/c/go/+/491435 Run-TryBot: Gopher Robot <[email protected]> Auto-Submit: Gopher Robot <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Carlos Amedee <[email protected]>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Comparing changes

Open a pull request

Commits on Apr 5, 2023

Commits on Apr 12, 2023

Commits on Apr 14, 2023

Commits on Apr 24, 2023

Commits on Apr 25, 2023

Commits on May 2, 2023

This comparison is taking too long to generate.

Uh oh!