1. 21 Aug, 2019 1 commit
  2. 20 Aug, 2019 2 commits
  3. 19 Aug, 2019 1 commit
  4. 18 Aug, 2019 1 commit
  5. 16 Aug, 2019 3 commits
  6. 15 Aug, 2019 2 commits
  7. 14 Aug, 2019 2 commits
  8. 12 Aug, 2019 2 commits
    • Filippo Valsorda's avatar
      net/url: make Hostname and Port predictable for invalid Host values · 61bb56ad
      Filippo Valsorda authored
      When Host is not valid per RFC 3986, the behavior of Hostname and Port
      was wildly unpredictable, to the point that Host could have a suffix
      that didn't appear in neither Hostname nor Port.
      
      This is a security issue when applications are applying checks to Host
      and expecting them to be meaningful for the contents of Hostname.
      
      To reduce disruption, this change only aims to guarantee the following
      two security-relevant invariants.
      
      * Host is either Hostname or [Hostname] with Port empty, or
        Hostname:Port or [Hostname]:Port.
      
      * Port is only decimals.
      
      The second invariant is the one that's most likely to cause disruption,
      but I believe it's important, as it's conceivable an application might
      do a suffix check on Host and expect it to be meaningful for the
      contents of Hostname (if the suffix is not a valid port).
      
      There are three ways to ensure it.
      
      1) Reject invalid ports in Parse. Note that non-numeric ports are
         already rejected if and only if the host starts with "[".
      
      2) Consider non-numeric ports as part of Hostname, not Port.
      
      3) Allow non-numeric ports, and hope they only flow down to net/http,
         which will reject them (#14353).
      
      This change adopts both 1 and 2. We could do only the latter, but then
      these invalid hosts would flow past port checks, like in
      http_test.TestTransportRejectsAlphaPort. Non-numeric ports weren't fully
      supported anyway, because they were rejected after IPv6 literals, so
      this restores consistency. We could do only the former, but at this
      point 2) is free and might help with manually constructed Host values
      (or if we get something wrong in Parse).
      
      Note that net.SplitHostPort and net.Dial explicitly accept service names
      in place of port numbers, but this is an URL package, and RFC 3986,
      Section 3.2.3, clearly specifies ports as a number in decimal.
      
      net/http uses a mix of net.SplitHostPort and url.Parse that would
      deserve looking into, but in general it seems that it will still accept
      service names in Addr fields as they are passed to net.Listen, while
      rejecting them in URLs, which feels correct.
      
      This leaves a number of invalid URLs to reject, which however are not
      security relevant once the two invariants above hold, so can be done in
      Go 1.14: IPv6 literals without brackets (#31024), invalid IPv6 literals,
      hostnames with invalid characters, and more.
      
      Tested with 200M executions of go-fuzz and the following Fuzz function.
      
      	u, err := url.Parse(string(data))
      	if err != nil {
      		return 0
      	}
      	h := u.Hostname()
      	p := u.Port()
      
      	switch u.Host {
      	case h + ":" + p:
      		return 1
      	case "[" + h + "]:" + p:
      		return 1
      	case h:
      		fallthrough
      	case "[" + h + "]":
      		if p != "" {
      			panic("unexpected Port()")
      		}
      		return 1
      	}
      	panic("Host is not a variant of [Hostname]:Port")
      
      Fixes CVE-2019-14809
      Updates #29098
      
      Change-Id: I7ef40823dab28f29511329fa2d5a7fb10c3ec895
      Reviewed-on: https://go-review.googlesource.com/c/go/+/189258Reviewed-by: default avatarIan Lance Taylor <iant@golang.org>
      61bb56ad
    • Filippo Valsorda's avatar
      src/go.mod: sync golang.org/x/net with h2_bundle.go · 45504066
      Filippo Valsorda authored
      The bundle included changes from a commit after the one referred to by
      the go.mod, probably due to cmd/bundle using the GOPATH source.
      
      Identified with the new go/packages based cmd/bundle from CL 189818.
      
      $ go get golang.org/x/net@461777fb6f
      $ go mod tidy
      $ go mod vendor
      $ go generate net/http # with CL 189818
      
      Also, updated the socks_bundle.go generate command to drop obsolete
      options and match h2_bundle.go. It caused no output changes.
      
      Updates #32031
      
      Change-Id: I0322d4e842dbfdad749455111072ca4872a62ad4
      Reviewed-on: https://go-review.googlesource.com/c/go/+/189897Reviewed-by: default avatarDmitri Shuralyov <dmitshur@golang.org>
      45504066
  9. 11 Aug, 2019 2 commits
  10. 10 Aug, 2019 1 commit
  11. 09 Aug, 2019 4 commits
  12. 08 Aug, 2019 5 commits
  13. 07 Aug, 2019 1 commit
  14. 06 Aug, 2019 5 commits
  15. 05 Aug, 2019 5 commits
  16. 03 Aug, 2019 1 commit
  17. 02 Aug, 2019 2 commits
    • Ian Lance Taylor's avatar
      os: change Readdirnames doc to follow that of Readdir · fc821667
      Ian Lance Taylor authored
      The two methods act the same, so make their documentation similar so
      that people don't think they act differently.
      
      Change-Id: If224692ef50870faf855d789380a614d1e724132
      Reviewed-on: https://go-review.googlesource.com/c/go/+/188137Reviewed-by: default avatarRob Pike <r@golang.org>
      fc821667
    • Damien Neil's avatar
      os: don't consult Is methods on non-syscall error types · d178c588
      Damien Neil authored
      CL #163058 moves interpretation of platform-specific errors to the
      syscall package. Package syscall errors implement an Is method which
      os.IsPermission etc. consult. This results in an unintended semantic
      change to the os package predicate functions: The following program
      now prints 'true' where it used to print 'false':
      
      	package main
      	import "os"
      	type myError struct{ error }
      	func (e myError) Is(target error) bool { return target == os.ErrPermission }
      	func main() { println(os.IsPermission(myError{})) }
      
      Change the os package error predicate functions to only examine syscall
      errors, avoiding this semantic change.
      
      This CL does retain one minor semantic change: On Plan9, os.IsPermission
      used to return true for any error with text containing the string
      "permission denied". It now only returns true for a syscall.ErrorString
      containing that text.
      
      Change-Id: I6b512b1de6ced46c2f1cc8d264fa2495ae7bf9f5
      Reviewed-on: https://go-review.googlesource.com/c/go/+/188817
      Run-TryBot: Ian Lance Taylor <iant@golang.org>
      TryBot-Result: Gobot Gobot <gobot@golang.org>
      Reviewed-by: default avatarIan Lance Taylor <iant@golang.org>
      Reviewed-by: default avatarRuss Cox <rsc@golang.org>
      d178c588