Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: golang/go
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: go1.19.8
Choose a base ref
...
head repository: golang/go
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: go1.19.9
Choose a head ref
  • 10 commits
  • 87 files changed
  • 7 contributors

Commits on Apr 5, 2023

  1. [release-branch.go1.19] cmd/compile: defer transitive inlining until … 

    …after AST is edited

This CL changes the inliner to process transitive inlining iteratively
after the AST has actually been edited, rather than recursively and
immediately. This is important for handling indirect function calls
correctly, because ir.reassigned walks the function body looking for
reassignments; whereas previously the inlined reassignments might not
have been actually added to the AST yet.

Fixes #59158.

This change was previously reverted as CL 481796 because the branch
was frozen for release.

Change-Id: I97fcd32956cc1349d87a92066e8559cb90da73b7
Reviewed-on: https://go-review.googlesource.com/c/go/+/481797
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Michael Knyszek <mknyszek@google.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
    @mknyszek
    mknyszek committed Apr 5, 2023

    Verified

    This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
    GPG key ID: 4AEE18F83AFDEB23
    Expired
    Verified
    Learn about vigilant mode
    Copy the full SHA
    e6130c6 View commit details

  2. [release-branch.go1.19] html/template,mime/multipart: document new GO… 

    …DEBUG settings

This change documents the new GODEBUG settings introduced for
html/template and mime/multipart, released with Go 1.19.8 and Go 1.20.3
as part of a security fix.

Updates #59153.
For #59269.
Updates #59234.
For #59271.

Change-Id: I25f4d8245da3301dccccfb44da8ff1a5985392a4
Reviewed-on: https://go-review.googlesource.com/c/go/+/482535
TryBot-Result: Gopher Robot <gobot@golang.org>
Auto-Submit: Michael Knyszek <mknyszek@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
Run-TryBot: Michael Knyszek <mknyszek@google.com>
    @mknyszek @gopherbot
    mknyszek authored and gopherbot committed Apr 5, 2023
    Copy the full SHA
    22c1d18 View commit details

Commits on Apr 12, 2023

  1. [release-branch.go1.19] cmd/compile: fix ir.StaticValue for ORANGE 

    Range statement will mutate the key and value, so we should treat them as reassigned.

Fixes #59579

Change-Id: I9c6b67d938760a0c6a1d9739f2737c67af4a3a10
Reviewed-on: https://go-review.googlesource.com/c/go/+/483855
Run-TryBot: Wayne Zuo <wdvxdr@golangcn.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Matthew Dempsky <mdempsky@google.com>
Auto-Submit: Keith Randall <khr@golang.org>
Reviewed-by: Keith Randall <khr@google.com>
Reviewed-by: Keith Randall <khr@golang.org>
(cherry picked from commit 89567a3)
Reviewed-on: https://go-review.googlesource.com/c/go/+/484135
Run-TryBot: Matthew Dempsky <mdempsky@google.com>
    @wdvxdr1123 @mdempsky
    wdvxdr1123 authored and mdempsky committed Apr 12, 2023
    Copy the full SHA
    abb86e6 View commit details

Commits on Apr 14, 2023

  1. [release-branch.go1.19] syscall: restore original NOFILE rlimit in ch… 

    …ild process

If we increased the NOFILE rlimit when starting the program,
restore the original rlimit when forking a child process.

In CL 393354 the os package was changed to raise the open file rlimit
at program start. That code is not inherently tied to the os package.
This CL moves it into the syscall package.

This is a backport of CLs 476096 and 476097 from trunk.

For #46279
Fixes #59063

Change-Id: I9be6ecc52d4f82eb226907611aec9df808e1da84
Reviewed-on: https://go-review.googlesource.com/c/go/+/478660
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Michael Knyszek <mknyszek@google.com>
Run-TryBot: Ian Lance Taylor <iant@golang.org>
Reviewed-by: David Chase <drchase@google.com>
Reviewed-by: Tobias Klauser <tobias.klauser@gmail.com>
    @ianlancetaylor
    ianlancetaylor authored and Ian Lance Taylor committed Apr 14, 2023
    Copy the full SHA
    130a7f8 View commit details

Commits on Apr 24, 2023

  1. [release-branch.go1.19] cmd/compile: use correct type for byteswaps o… 

    …n multi-byte stores

Use the type of the store for the byteswap, not the type of the
store's value argument.

Normally when we're storing a 16-bit value, the value being stored is
also typed as 16 bits. But sometimes it is typed as something smaller,
usually because it is the result of an upcast from a smaller value,
and that upcast needs no instructions.

If the type of the store's arg is thinner than the type being stored,
and the byteswap'd value uses that thinner type, and the byteswap'd
value needs to be spilled & restored, that spill/restore happens using
the thinner type, which causes us to lose some of the top bits of the
value.

Fixes #59373

Change-Id: If6ce1e8a76f18bf8e9d79871b6caa438bc3cce4d
Reviewed-on: https://go-review.googlesource.com/c/go/+/481395
Reviewed-by: David Chase <drchase@google.com>
Reviewed-by: Cherry Mui <cherryyz@google.com>
Run-TryBot: Keith Randall <khr@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-on: https://go-review.googlesource.com/c/go/+/483177
Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
    @randall77 @gopherbot
    randall77 authored and gopherbot committed Apr 24, 2023
    Copy the full SHA
    ca9947d View commit details

  2. [release-branch.go1.19] crypto/tls: fix PSK binder calculation 

    When server and client have mismatch in curve preference, the server will
send HelloRetryRequest during TLSv1.3 PSK resumption. There was a bug
introduced by Go1.19.6 or later and Go1.20.1 or later, that makes the client
calculate the PSK binder hash incorrectly. Server will reject the TLS
handshake by sending alert: invalid PSK binder.

For #59424.
Fixes #59539.

Change-Id: I2ca8948474275740a36d991c057b62a13392dbb9
GitHub-Last-Rev: 1aad9bc
GitHub-Pull-Request: #59425
Reviewed-on: https://go-review.googlesource.com/c/go/+/481955
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Run-TryBot: Roland Shoemaker <roland@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Auto-Submit: Roland Shoemaker <roland@golang.org>
(cherry picked from commit 2c70690)
Reviewed-on: https://go-review.googlesource.com/c/go/+/488075
Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
Run-TryBot: Dmitri Shuralyov <dmitshur@golang.org>
    @tsaarni @gopherbot
    tsaarni authored and gopherbot committed Apr 24, 2023
    Copy the full SHA
    c3c53a2 View commit details

Commits on May 2, 2023

  1. [release-branch.go1.19] html/template: disallow angle brackets in CSS… 

    … values

Angle brackets should not appear in CSS contexts, as they may affect
token boundaries (such as closing a <style> tag, resulting in
injection). Instead emit filterFailsafe, matching the behavior for other
dangerous characters.

Thanks to Juho Nurminen of Mattermost for reporting this issue.

For #59720
Fixes #59811
Fixes CVE-2023-24539

Change-Id: Iccc659c9a18415992b0c05c178792228e3a7bae4
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1826636
Reviewed-by: Julie Qiu <julieqiu@google.com>
Run-TryBot: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1851496
Run-TryBot: Damien Neil <dneil@google.com>
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/491335
Run-TryBot: Carlos Amedee <carlos@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
    @rolandshoemaker @cagedmantis
    rolandshoemaker authored and cagedmantis committed May 2, 2023
    Copy the full SHA
    e492823 View commit details

  2. [release-branch.go1.19] html/template: handle all JS whitespace chara… 

    …cters

Rather than just a small set. Character class as defined by \s [0].

Thanks to Juho Nurminen of Mattermost for reporting this.

For #59721
Fixes  #59813
Fixes CVE-2023-24540

[0] https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions/Character_Classes

Change-Id: I56d4fa1ef08125b417106ee7dbfb5b0923b901ba
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1821459
Reviewed-by: Julie Qiu <julieqiu@google.com>
Run-TryBot: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1851497
Run-TryBot: Damien Neil <dneil@google.com>
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/491355
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Carlos Amedee <carlos@golang.org>
TryBot-Bypass: Carlos Amedee <carlos@golang.org>
Run-TryBot: Carlos Amedee <carlos@golang.org>
    @rolandshoemaker @cagedmantis
    rolandshoemaker authored and cagedmantis committed May 2, 2023
    Copy the full SHA
    ce7bd33 View commit details

  3. [release-branch.go1.19] html/template: emit filterFailsafe for empty … 

    …unquoted attr value

An unquoted action used as an attribute value can result in unsafe
behavior if it is empty, as HTML normalization will result in unexpected
attributes, and may allow attribute injection. If executing a template
results in a empty unquoted attribute value, emit filterFailsafe
instead.

Thanks to Juho Nurminen of Mattermost for reporting this issue.

For #59722
Fixes #59815
Fixes CVE-2023-29400

Change-Id: Ia38d1b536ae2b4af5323a6c6d861e3c057c2570a
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1826631
Reviewed-by: Julie Qiu <julieqiu@google.com>
Run-TryBot: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1851498
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Run-TryBot: Damien Neil <dneil@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/491357
Run-TryBot: Carlos Amedee <carlos@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
    @rolandshoemaker @cagedmantis
    rolandshoemaker authored and cagedmantis committed May 2, 2023
    Copy the full SHA
    9db0e74 View commit details

  4. [release-branch.go1.19] go1.19.9 

    Change-Id: Ib6c0fa04bf59bfaae8081927059b4860dfcf6d21
Reviewed-on: https://go-review.googlesource.com/c/go/+/491436
Auto-Submit: Gopher Robot <gobot@golang.org>
Reviewed-by: Carlos Amedee <carlos@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
TryBot-Bypass: Carlos Amedee <carlos@golang.org>
    @gopherbot
    gopherbot committed May 2, 2023
    Copy the full SHA
    484330d View commit details
Loading