- 23 Aug, 2019 4 commits
-
-
Emmanuel T Odeke authored
Fixes #32815 Change-Id: Ia8ac9943a920a056ba7dbc69c1c70fa188f7aca8 Reviewed-on: https://go-review.googlesource.com/c/go/+/191578Reviewed-by: Robert Griesemer <gri@golang.org>
-
Jay Conrod authored
The -m flag is removed in Go 1.13. -d should be used instead. Change-Id: Ia53764748309f16cb231e5ac6770400a73804484 Reviewed-on: https://go-review.googlesource.com/c/go/+/191621 Run-TryBot: Jay Conrod <jayconrod@google.com> Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>
-
Filippo Valsorda authored
Update golang.org/x/net to v0.0.0-20190813141303-74dc4d7220e7 to import the following security fix. commit 74dc4d7220e7acc4e100824340f3e66577424772 Author: Filippo Valsorda <filippo@golang.org> Date: Sun Aug 11 02:12:18 2019 -0400 http2: limit number of control frames in server send queue An attacker could cause servers to queue an unlimited number of PING ACKs or RST_STREAM frames by soliciting them and not reading them, until the program runs out of memory. Limit control frames in the queue to a few thousands (matching the limit imposed by other vendors) by counting as they enter and exit the scheduler, so the protection will work with any WriteScheduler. Once the limit is exceeded, close the connection, as we have no way to communicate with the peer. Change-Id: I842968fc6ed3eac654b497ade8cea86f7267886b Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/525552Reviewed-by: Brad Fitzpatrick <bradfitz@google.com> This change was generated with cmd/go and cmd/bundle: $ go get -u golang.org/x/net $ go mod tidy $ go mod vendor $ go generate net/http Fixes CVE-2019-9512 and CVE-2019-9514 Fixes #33606 Change-Id: I464baf96175006aa101d65d3b0f6494f28a626ab Reviewed-on: https://go-review.googlesource.com/c/go/+/190137Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
-
Rob Pike authored
Followon from a review comment in https://golang.org/cl/191078 Change-Id: If115b2ae0df5e5cb9babd60802947ddb687d56c2 Reviewed-on: https://go-review.googlesource.com/c/go/+/191219Reviewed-by: Ian Lance Taylor <iant@golang.org>
-
- 22 Aug, 2019 3 commits
-
-
Jonathan Amsterdam authored
- Add doc to syscall.Errno (and syscall.ErrorString for plan9). - Mention under `syscall` in release notes. Fixes #33436. Change-Id: I032ffebaa76ed67eb9d748e7645ca73f26144ea0 Reviewed-on: https://go-review.googlesource.com/c/go/+/191337Reviewed-by: Ian Lance Taylor <iant@golang.org>
-
Jeff Hodges authored
As of Go 1.13rc1, TimeoutHandler supports the Flusher and Pusher interfaces and this change corrects its documentation to say that. Fixes #33769 Updates #29193 Change-Id: Ia0523f7f2e3dc1f8f0b68950b85a7bf81c4abe60 GitHub-Last-Rev: 5310d2c9608a1af2d3030a9573e920906c76744e GitHub-Pull-Request: golang/go#33770 Reviewed-on: https://go-review.googlesource.com/c/go/+/191237Reviewed-by: Andrew Bonventre <andybons@golang.org> Run-TryBot: Andrew Bonventre <andybons@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>
-
Emmanuel T Odeke authored
Fixes #33750. Updates #31197. Change-Id: I26f63cef57e5f0eec85b84554c82f6d47b4f41a1 Reviewed-on: https://go-review.googlesource.com/c/go/+/191078Reviewed-by: Robert Griesemer <gri@golang.org>
-
- 21 Aug, 2019 3 commits
-
-
Emmanuel T Odeke authored
Document that: * math/big.Float.Parse * math/big.Int.SetString * strconv.ParseFloat * strconv.ParseInt * strconv.ParseUint now accept underscores to group digits only if base = 0, as per the Go 2 language changes. Updates #32815 Change-Id: Id45bd803a18442436419739297e8aed0d32ca56c Reviewed-on: https://go-review.googlesource.com/c/go/+/191077Reviewed-by: Robert Griesemer <gri@golang.org>
-
Filippo Valsorda authored
This reverts CL 151157. CL 151157 introduced a crash when decoding into ",string" fields. It came with a moderate speedup, so at this stage of the release cycle let's just revert it, and reapply it in Go 1.14 with the fix in CL 190659. Also applied the test cases from CL 190659. Updates #33728 Change-Id: Ie46e2bc15224b251888580daf6b79d5865f3878e Reviewed-on: https://go-review.googlesource.com/c/go/+/190909 Run-TryBot: Andrew Bonventre <andybons@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Andrew Bonventre <andybons@golang.org>
-
Russ Cox authored
This CL makes the go command understand that GOSUMDB=sum.golang.google.cn should connect to that domain but expect to find a checksum database signed by sum.golang.org there. The host sum.golang.google.cn is not yet completely configured; we hope it will be available in a few weeks. Change-Id: Ie0fc4323f0c7084dda59bd3b45fc406717fa16d9 Reviewed-on: https://go-review.googlesource.com/c/go/+/191137 Run-TryBot: Russ Cox <rsc@golang.org> Reviewed-by: Andrew Bonventre <andybons@golang.org>
-
- 20 Aug, 2019 2 commits
-
-
Bryan C. Mills authored
Fixes #33720 Updates #14295 Change-Id: I9cb6e02bcaccd7971057315163d8810157d465bd Reviewed-on: https://go-review.googlesource.com/c/go/+/190907 Run-TryBot: Bryan C. Mills <bcmills@google.com> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Jay Conrod <jayconrod@google.com>
-
Filippo Valsorda authored
The docs refer to "the last two paragraphs", but in fact should refer to the first two of the previous three paragraphs. Moved up the out of place paragraph. Updates #14295 Change-Id: I066da7a665bc6754d246782b941af214a385017a Reviewed-on: https://go-review.googlesource.com/c/go/+/190839Reviewed-by: Bryan C. Mills <bcmills@google.com> Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org> Run-TryBot: Bryan C. Mills <bcmills@google.com> TryBot-Result: Gobot Gobot <gobot@golang.org>
-
- 19 Aug, 2019 1 commit
-
-
Wagner Riffel authored
Change-Id: I75619feced842b8ca509ee08e01b63258c5e87ca Reviewed-on: https://go-review.googlesource.com/c/go/+/190757Reviewed-by: Ian Lance Taylor <iant@golang.org> Run-TryBot: Ian Lance Taylor <iant@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>
-
- 18 Aug, 2019 1 commit
-
-
Dmitry Vyukov authored
Currently test build fails with: $ go test -tags=gofuzz encoding/json encoding/json/fuzz.go:36:4: Println call has possible formatting directive %s FAIL encoding/json [build failed] Change-Id: I23aef44a421ed0e7bcf48b74ac5a8c6768a4841b Reviewed-on: https://go-review.googlesource.com/c/go/+/190698 Run-TryBot: Ian Lance Taylor <iant@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Ian Lance Taylor <iant@golang.org>
-
- 16 Aug, 2019 3 commits
-
-
Joe Tsai authored
CL 131196 optimized Time.Sub, but was reverted because it incorrectly computed the nanoseconds in some edge cases. This CL adds a test case to enforce the correct behavior so that a future optimization does not break this again. Updates #17858 Updates #33677 Change-Id: I596d8302ca6bf721cf7ca11cc6f939639fcbdd43 Reviewed-on: https://go-review.googlesource.com/c/go/+/190524 Run-TryBot: Joe Tsai <thebrokentoaster@gmail.com> Reviewed-by: Daniel Martí <mvdan@mvdan.cc> Reviewed-by: Andrew Bonventre <andybons@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>
-
Joe Tsai authored
CL 162337 changed go/ast to better handle block comments, but was reverted because it introduced an off-by-one bug. This CL adds a test case to enforce the correct behavior so that future changes do not break this again. Updates #18929 Updates #33538 Change-Id: I2d25c139d007f8db1091b7a48b1dd20c584e2699 Reviewed-on: https://go-review.googlesource.com/c/go/+/190523 Run-TryBot: Joe Tsai <thebrokentoaster@gmail.com> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Robert Griesemer <gri@golang.org>
-
Joe Tsai authored
This reverts commit CL 131196 because there is a bug in the calculation of nanoseconds. Fixes #33677 Change-Id: Ic8e94c547ee29b8aeda1b9a5cb9764dbf47b14b4 Reviewed-on: https://go-review.googlesource.com/c/go/+/190497 Run-TryBot: Andrew Bonventre <andybons@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Emmanuel Odeke <emm.odeke@gmail.com> Reviewed-by: Andrew Bonventre <andybons@golang.org>
-
- 15 Aug, 2019 2 commits
-
-
Dmitri Shuralyov authored
Change-Id: I88b7e085fc70f9c021788d364099f5bc6b705ba8 Reviewed-on: https://go-review.googlesource.com/c/go/+/190438Reviewed-by: Filippo Valsorda <filippo@golang.org>
-
Dmitri Shuralyov authored
Change-Id: I0daab6cd347e1fc0066e516f02c33f1b63e3f1a3 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/526992Reviewed-by: Filippo Valsorda <valsorda@google.com> (cherry picked from commit 305f6dc3) Reviewed-on: https://go-review.googlesource.com/c/go/+/190437Reviewed-by: Filippo Valsorda <filippo@golang.org>
-
- 14 Aug, 2019 2 commits
-
-
Cherry Zhang authored
When calling a function obtained from reflect.Value.Method (or MethodByName), we copy the arguments from the caller frame, which does not include the receiver, to a new frame to call the actual method, which does include the receiver. Here we need to align the first (non-receiver) argument. As the receiver is pointer sized, it is generally naturally aligned, except on amd64p32, where the argument can have larger alignment, and this aligning becomes necessary. Fixes #33628. Change-Id: I5bea0e20173f06d1602c5666d4f334e3d0de5c1e Reviewed-on: https://go-review.googlesource.com/c/go/+/190297 Run-TryBot: Cherry Zhang <cherryyz@google.com> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Keith Randall <khr@golang.org>
-
Toshihiro Shiino authored
Change-Id: If9ad650174572c475f0b3d3394208c2a9dd0a596 Reviewed-on: https://go-review.googlesource.com/c/go/+/190237Reviewed-by: Agniva De Sarker <agniva.quicksilver@gmail.com>
-
- 12 Aug, 2019 2 commits
-
-
Filippo Valsorda authored
When Host is not valid per RFC 3986, the behavior of Hostname and Port was wildly unpredictable, to the point that Host could have a suffix that didn't appear in neither Hostname nor Port. This is a security issue when applications are applying checks to Host and expecting them to be meaningful for the contents of Hostname. To reduce disruption, this change only aims to guarantee the following two security-relevant invariants. * Host is either Hostname or [Hostname] with Port empty, or Hostname:Port or [Hostname]:Port. * Port is only decimals. The second invariant is the one that's most likely to cause disruption, but I believe it's important, as it's conceivable an application might do a suffix check on Host and expect it to be meaningful for the contents of Hostname (if the suffix is not a valid port). There are three ways to ensure it. 1) Reject invalid ports in Parse. Note that non-numeric ports are already rejected if and only if the host starts with "[". 2) Consider non-numeric ports as part of Hostname, not Port. 3) Allow non-numeric ports, and hope they only flow down to net/http, which will reject them (#14353). This change adopts both 1 and 2. We could do only the latter, but then these invalid hosts would flow past port checks, like in http_test.TestTransportRejectsAlphaPort. Non-numeric ports weren't fully supported anyway, because they were rejected after IPv6 literals, so this restores consistency. We could do only the former, but at this point 2) is free and might help with manually constructed Host values (or if we get something wrong in Parse). Note that net.SplitHostPort and net.Dial explicitly accept service names in place of port numbers, but this is an URL package, and RFC 3986, Section 3.2.3, clearly specifies ports as a number in decimal. net/http uses a mix of net.SplitHostPort and url.Parse that would deserve looking into, but in general it seems that it will still accept service names in Addr fields as they are passed to net.Listen, while rejecting them in URLs, which feels correct. This leaves a number of invalid URLs to reject, which however are not security relevant once the two invariants above hold, so can be done in Go 1.14: IPv6 literals without brackets (#31024), invalid IPv6 literals, hostnames with invalid characters, and more. Tested with 200M executions of go-fuzz and the following Fuzz function. u, err := url.Parse(string(data)) if err != nil { return 0 } h := u.Hostname() p := u.Port() switch u.Host { case h + ":" + p: return 1 case "[" + h + "]:" + p: return 1 case h: fallthrough case "[" + h + "]": if p != "" { panic("unexpected Port()") } return 1 } panic("Host is not a variant of [Hostname]:Port") Fixes CVE-2019-14809 Updates #29098 Change-Id: I7ef40823dab28f29511329fa2d5a7fb10c3ec895 Reviewed-on: https://go-review.googlesource.com/c/go/+/189258Reviewed-by: Ian Lance Taylor <iant@golang.org>
-
Filippo Valsorda authored
The bundle included changes from a commit after the one referred to by the go.mod, probably due to cmd/bundle using the GOPATH source. Identified with the new go/packages based cmd/bundle from CL 189818. $ go get golang.org/x/net@461777fb6f $ go mod tidy $ go mod vendor $ go generate net/http # with CL 189818 Also, updated the socks_bundle.go generate command to drop obsolete options and match h2_bundle.go. It caused no output changes. Updates #32031 Change-Id: I0322d4e842dbfdad749455111072ca4872a62ad4 Reviewed-on: https://go-review.googlesource.com/c/go/+/189897Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
-
- 11 Aug, 2019 2 commits
-
-
Ian Lance Taylor authored
Updates #31449 Change-Id: I76490c5e83eb2f7ba529b387a57ba088428aece5 Reviewed-on: https://go-review.googlesource.com/c/go/+/189757 Run-TryBot: Ian Lance Taylor <iant@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Emmanuel Odeke <emm.odeke@gmail.com> Reviewed-by: Filippo Valsorda <filippo@golang.org>
-
Pure White authored
Fixes #33054 Change-Id: I687d45e092d721a6c22888cc7ddbe420c16a5af9 GitHub-Last-Rev: a7208c89a0d613a53ab057e0b4418ae4719cfcbd GitHub-Pull-Request: golang/go#33069 Reviewed-on: https://go-review.googlesource.com/c/go/+/185917Reviewed-by: Rob Pike <r@golang.org>
-
- 10 Aug, 2019 1 commit
-
-
Carlo Alberto Ferraris authored
Mention faster sync.Mutex/RWMutex/Once in the 1.13 release notes. Change-Id: I29d8a5004a0af42542e8db82a8c9e2e06a15dbb0 GitHub-Last-Rev: 2995401dab563ea5af98c0f5351f51a6116f105e GitHub-Pull-Request: golang/go#33404 Reviewed-on: https://go-review.googlesource.com/c/go/+/188479Reviewed-by: Emmanuel Odeke <emm.odeke@gmail.com>
-
- 09 Aug, 2019 4 commits
-
-
K. "pestophagous" Heller authored
Prior doc implied that "git clone" was one way to obtain a go1.4 bootstrap toochain, but it did not state this outright. Further, the doc did not make it explicit in the "Fetch the repository" section that one must necessarily "git clone" a second time in the (presumed-to-be-uncommon) case where "git clone" had already been perfomed in the "compiler binaries" section. Updates #33402 Change-Id: Id70a6587b6ee09aca13559d63868b75cb07dff1e Reviewed-on: https://go-review.googlesource.com/c/go/+/188900Reviewed-by: Ian Lance Taylor <iant@golang.org>
-
Ian Lance Taylor authored
There is real (albeit generated) code that exceeds the limit. Fixes #33555 Change-Id: I668e85825d3d2a471970e869abe63f3492213cc1 Reviewed-on: https://go-review.googlesource.com/c/go/+/189697 Run-TryBot: Ian Lance Taylor <iant@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Cherry Zhang <cherryyz@google.com>
-
Agniva De Sarker authored
And also insert new paragraphs between GOOS and GOARCH listings for better readability. Fixes #28142 Fixes #26513 Change-Id: Ie92e98dbfd924e80032a12afbfa02f30e3a6f916 Reviewed-on: https://go-review.googlesource.com/c/go/+/189578Reviewed-by: Andrew Bonventre <andybons@golang.org>
-
Bryan C. Mills authored
If we don't know whether a path is a module path or a package path, previously we would first try a module query for it, then fall back to a package query. If we are using a sequence of proxies with fallback (as will be the default in Go 1.13), and the path is not actually a module path, that initial module query will fail against the first proxy, then immediately fall back to the next proxy in the sequence — even if the query could have been satisfied by some other (prefix) module available from the first proxy. Instead, we now query the requested path as only one kind of path. If we query it as a package path but it turns out to only exist as a module, we can detect that as a PackageNotInModuleError with an appropriate module path — we do not need to issue a second query to classify it. Fixes #31785 Change-Id: I581d44279196e41d1fed27ec25489e75d62654e3 Reviewed-on: https://go-review.googlesource.com/c/go/+/189517 Run-TryBot: Bryan C. Mills <bcmills@google.com> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Jay Conrod <jayconrod@google.com>
-
- 08 Aug, 2019 5 commits
-
-
Jay Conrod authored
modload.ListModules now wraps errors as module.ModuleError as appropriate. The resulting errors always include the module path and will include the version, if known. 'go mod download' no longer ignores errors reported by ListModules. Previously, it started requesting module info, go.mod, and zip. Those requests would fail, overwriting the original failure. They were usually less descriptive. 'go mod download' with a module not in the build list (and no version query) is now an error. Previously, this was silently ignored. Fixes #30743 Change-Id: Icee8c1c6c5240de135a8b6ba42d6bbcdb757cdac Reviewed-on: https://go-review.googlesource.com/c/go/+/189323 Run-TryBot: Jay Conrod <jayconrod@google.com> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Bryan C. Mills <bcmills@google.com>
-
Joe Tsai authored
This reverts CL 162337. Reason for revert: this introduces a regression Fixes #33538 Updates #18929 Change-Id: Ib2320a840c6d3ec7912e8f414e933d04fbf11ab4 Reviewed-on: https://go-review.googlesource.com/c/go/+/189379Reviewed-by: Robert Griesemer <gri@golang.org>
-
Filippo Valsorda authored
These will need auditing per #32813 like a few others in go1.13.txt, but in the meantime they break the API check for beta/RC releases. Updates #32813 Updates #31912 Change-Id: I3b0501b46324ee6fc0985f84971b99b772c7e4a4 Reviewed-on: https://go-review.googlesource.com/c/go/+/189458Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
-
Alberto Donizetti authored
Change-Id: Id0a55674a16671aaee99182d9096a9263f7a80b3 Reviewed-on: https://go-review.googlesource.com/c/go/+/189357Reviewed-by: Ian Lance Taylor <iant@golang.org>
-
Derek Phan authored
Change-Id: Ib0ae6e3e678dc7ace21b891e946ffc6bc2a78835 GitHub-Last-Rev: 8c6704ea8c032072ac339dc9d1c6ec78aec15b2a GitHub-Pull-Request: golang/go#33534 Reviewed-on: https://go-review.googlesource.com/c/go/+/189378 Run-TryBot: Ian Lance Taylor <iant@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Ian Lance Taylor <iant@golang.org>
-
- 07 Aug, 2019 1 commit
-
-
David Finkel authored
Document goroutine label inheritance. Goroutine labels are copied upon goroutine creation and there is a test enforcing this, but it was not mentioned in the docstrings for `Do` or `SetGoroutineLabels`. Add notes to both of those functions' docstrings so it's clear that one does not need to set labels as soon as a new goroutine is spawned if they want to propagate tags. Updates #32223 Updates #23458 Change-Id: Idfa33031af0104b884b03ca855ac82b98500c8b4 Reviewed-on: https://go-review.googlesource.com/c/go/+/189317Reviewed-by: Ian Lance Taylor <iant@golang.org>
-
- 06 Aug, 2019 4 commits
-
-
Jay Conrod authored
In modload.Import, confirm that the import path does not start with "cmd/" before calling QueryPackage, which returns a less helpful error. In load.loadPackageData, don't wrap errors with "unknown import path". The wrapped error should always include the import path, and it's also repeated in the PackageError wrapper. Fixes #31031 Change-Id: I071efa22e3842c62831d096f888a8006811fe724 Reviewed-on: https://go-review.googlesource.com/c/go/+/189157 Run-TryBot: Jay Conrod <jayconrod@google.com> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Bryan C. Mills <bcmills@google.com>
-
Marcel van Lohuizen authored
Fixes #33472 Change-Id: Iab69e69589f2e017f4cf9770858884b1a570c89e Reviewed-on: https://go-review.googlesource.com/c/go/+/188799Reviewed-by: Andrew Bonventre <andybons@golang.org>
-
Jay Conrod authored
This mirrors the ELF fix in CL 188957. TestScript/version failed on darwin after that change. Fixes #31861 Change-Id: I4ce953ebec8dd5fa47e26d373c59d7e290b75a34 Reviewed-on: https://go-review.googlesource.com/c/go/+/189159 Run-TryBot: Jay Conrod <jayconrod@google.com> Reviewed-by: Bryan C. Mills <bcmills@google.com> TryBot-Result: Gobot Gobot <gobot@golang.org>
-
Bharath Thiruveedula authored
Fixes #33433 Change-Id: Idb3961685a3cfd13ba26155a1d64fc24cc418fdb Reviewed-on: https://go-review.googlesource.com/c/go/+/189117Reviewed-by: Ian Lance Taylor <iant@golang.org>
-