Stowage/go
2
0
Fork 0
mirror of https://github.com/golang/go.git synced 2025-12-08 06:10:04 +00:00
Code Issues Projects Releases Packages Wiki Activity
go/src
History
Roland Shoemaker e05b2c92d9 [release-branch.go1.25] crypto/x509: rework fix for CVE-2025-58187 
In CL 709854 we enabled strict validation for a number of properties of
domain names (and their constraints). This caused significant breakage,
since we didn't previously disallow the creation of certificates which
contained these malformed domains.

Rollback a number of the properties we enforced, making domainNameValid
only enforce the same properties that domainToReverseLabels does. Since
this also undoes some of the DoS protections our initial fix enabled,
this change also adds caching of constraints in isValid (which perhaps
is the fix we should've initially chosen).

Updates #75835
Updates #75828
Fixes #75861

Change-Id: Ie6ca6b4f30e9b8a143692b64757f7bbf4671ed0e
Reviewed-on: https://go-review.googlesource.com/c/go/+/710735
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
(cherry picked from commit 1cd71689f2)
Reviewed-on: https://go-review.googlesource.com/c/go/+/710677
Auto-Submit: Michael Pratt <mpratt@google.com>
Reviewed-by: Michael Pratt <mpratt@google.com>
2025-10-13 08:57:00 -07:00
..
archive [release-branch.go1.25] archive/tar: set a limit on the size of GNU sparse file 1.0 regions 2025-10-07 11:04:24 -07:00
arena
bufio bufio: update buffer documentation 2025-05-21 11:05:26 -07:00
builtin builtin: use list instead of indentation for comments in cap, len, and make 2024-12-30 15:59:23 -08:00
bytes strings,bytes: add internal docs about perennial noCopy questions 2025-05-19 10:38:56 -07:00
cmd [release-branch.go1.25] cmd/compile: don't rely on loop info when there are irreducible loops 2025-10-01 11:40:47 -07:00
cmp cmp: add examples for Compare and Less 2025-03-11 15:22:39 -07:00
compress std: pass bytes.Buffer and strings.Builder by pointer 2025-05-19 09:13:04 -07:00
container container/heap: remove confusing claim of memory leak 2024-01-31 20:27:36 +00:00
context [release-branch.go1.25] context: don't return a non-nil from Err before Done is closed 2025-10-01 12:06:47 -07:00
crypto [release-branch.go1.25] crypto/x509: rework fix for CVE-2025-58187 2025-10-13 08:57:00 -07:00
database/sql [release-branch.go1.25] database/sql: avoid closing Rows while scan is in progress 2025-08-06 10:52:26 -07:00
debug [release-branch.go1.25] debug/pe: permit symbols with no name 2025-10-01 11:58:18 -07:00
embed embed: document exclusions more explicitly 2024-12-05 17:20:19 +00:00
encoding [release-branch.go1.25] encoding/pem: make Decode complexity linear 2025-10-07 11:04:16 -07:00
errors errors: add joinError Unwrap example 2025-05-27 08:37:09 -07:00
expvar all: make use of sync.Map.Clear 2024-04-26 21:32:11 +00:00
flag flag: replace interface{} -> any for textValue.Get method 2025-02-28 08:43:46 -08:00
fmt cmd/compile/internal/walk: convert composite literals to interfaces without allocating 2025-05-21 12:23:26 -07:00
go [release-branch.go1.25] encoding/asn1: prevent memory exhaustion when parsing using internal/saferio 2025-10-07 11:02:22 -07:00
hash hash: document that Clone may only return ErrUnsupported or a nil error 2025-07-03 13:33:26 -07:00
html html/template: document comment stripping 2025-03-17 08:52:14 -07:00
image internal/byteorder: use canonical Go casing in names 2024-11-20 20:59:28 +00:00
index/suffixarray all: change from sort functions to slices functions where feasible 2024-05-23 01:00:11 +00:00
internal [release-branch.go1.25] net/http: add httpcookiemaxnum GODEBUG option to limit number of cookies parsed 2025-10-07 11:02:18 -07:00
io io/fs: add examples for Glob,ReadFile and ValidPath 2025-05-27 08:37:04 -07:00
iter iter: add missing type parameter in doc 2025-06-30 07:40:04 -07:00
log log/slog: fix level doc on handlers 2025-06-09 09:04:58 -07:00
maps all: fix some function names and typos in comment 2024-11-21 22:16:20 +00:00
math math: fix portable FMA implementation when x*y ~ 0, x*y < 0 and z = 0 2025-05-19 14:45:48 -07:00
mime mime: speed up ParseMediaType 2025-04-26 08:01:54 -07:00
net [release-branch.go1.25] net/http: add httpcookiemaxnum GODEBUG option to limit number of cookies parsed 2025-10-07 11:02:18 -07:00
os [release-branch.go1.25] internal/poll: don't call Seek for overlapped Windows handles 2025-10-01 08:06:41 -07:00
path path: add Join benchmark 2025-04-14 08:06:30 -07:00
plugin plugin: include a warning about race detector compatability in docs 2024-08-09 19:50:41 +00:00
reflect reflect: fix TypeAssert on nil interface values 2025-06-27 16:34:47 -07:00
regexp regexp/syntax: recognize category aliases like \p{Letter} 2025-04-18 14:13:38 -07:00
runtime [release-branch.go1.25] net/http: add httpcookiemaxnum GODEBUG option to limit number of cookies parsed 2025-10-07 11:02:18 -07:00
slices slices: update TestIssue68488 to avoid false positives 2025-07-01 08:34:08 -07:00
sort sort: clarify Less doc 2025-07-07 09:13:08 -07:00
strconv strconv: use switch for '+'/'-' prefix handling 2025-04-07 13:36:46 -07:00
strings strings,bytes: add internal docs about perennial noCopy questions 2025-05-19 10:38:56 -07:00
structs cmd/compile: add structs.HostLayout 2024-05-20 21:19:39 +00:00
sync [release-branch.go1.25] sync/atomic: correct Uintptr.Or return doc 2025-10-01 09:40:26 -07:00
syscall os: don't follow symlinks on Windows when O_CREATE|O_EXCL and read-only 2025-05-27 19:35:07 -07:00
testdata
testing synctest: fix comments for time.Now() in synctests 2025-07-10 13:16:07 -07:00
text text/template: limit expression parenthesis nesting 2025-05-17 03:27:48 -07:00
time encoding/json: add json/v2 with GOEXPERIMENT=jsonv2 guard 2025-04-18 08:24:07 -07:00
unicode all: go fmt 2025-07-22 09:16:26 -07:00
unique cmd/compile/internal/ssa: eliminate string copies for calls to unique.Make 2025-05-21 20:20:31 -07:00
unsafe unsafe: say "functions like syscall.Syscall", not only Syscall 2024-07-11 23:38:31 +00:00
vendor all: update vendored dependencies [generated] 2025-06-06 10:04:27 -07:00
weak weak: clarify Pointer equality semantics 2025-03-28 13:50:18 -07:00
all.bash all.{bash,rc}: use "../bin/go tool dist" instead of "%GOTOOLDIR%/dist" print build info 2025-06-10 06:00:41 -07:00
all.bat {all,clean,make,race,run}.bat: simplify error handling 2025-02-11 09:45:10 -08:00
all.rc all.{bash,rc}: use "../bin/go tool dist" instead of "%GOTOOLDIR%/dist" print build info 2025-06-10 06:00:41 -07:00
bootstrap.bash
buildall.bash src/buildall.bash: use grep -E instead of egrep 2024-04-23 17:45:23 +00:00
clean.bash
clean.bat {all,clean,make,race,run}.bat: simplify error handling 2025-02-11 09:45:10 -08:00
clean.rc
cmp.bash
go.mod all: update vendored dependencies [generated] 2025-06-06 10:04:27 -07:00
go.sum all: update vendored dependencies [generated] 2025-06-06 10:04:27 -07:00
make.bash cmd/dist: require Go 1.22.6 as minimum bootstrap toolchain 2024-08-20 17:52:42 +00:00
make.bat make.bat: fix GOROOT_BOOTSTRAP detection 2025-04-03 08:45:30 -07:00
Make.dist
make.rc make.rc: correct test for undefined GOROOT_BOOTSTRAP 2024-11-14 18:02:59 +00:00
race.bash cmd,runtime: enable race detector on loong64 2025-05-07 11:52:31 -07:00
race.bat make.bat,race.bat: simplify --dist-tool handling 2025-02-11 23:09:26 -08:00
README.vendor README.vendor: add note about GOROOT, recommend fresh go 2024-09-30 19:15:39 +00:00
run.bash run.bash: rm bumping open files soft limit 2024-05-15 15:02:23 +00:00
run.bat {all,clean,make,race,run}.bat: simplify error handling 2025-02-11 09:45:10 -08:00
run.rc

README.vendor 

Vendoring in std and cmd
========================

The Go command maintains copies of external packages needed by the
standard library in the src/vendor and src/cmd/vendor directories.

There are two modules, std and cmd, defined in src/go.mod and
src/cmd/go.mod. When a package outside std or cmd is imported
by a package inside std or cmd, the import path is interpreted
as if it had a "vendor/" prefix. For example, within "crypto/tls",
an import of "golang.org/x/crypto/cryptobyte" resolves to
"vendor/golang.org/x/crypto/cryptobyte". When a package with the
same path is imported from a package outside std or cmd, it will
be resolved normally. Consequently, a binary may be built with two
copies of a package at different versions if the package is
imported normally and vendored by the standard library.

Vendored packages are internally renamed with a "vendor/" prefix
to preserve the invariant that all packages have distinct paths.
This is necessary to avoid compiler and linker conflicts. Adding
a "vendor/" prefix also maintains the invariant that standard
library packages begin with a dotless path element.

The module requirements of std and cmd do not influence version
selection in other modules. They are only considered when running
module commands like 'go get' and 'go mod vendor' from a directory
in GOROOT/src.

Maintaining vendor directories
==============================

Before updating vendor directories, ensure that module mode is enabled.
Make sure that GO111MODULE is not set in the environment, or that it is
set to 'on' or 'auto', and if you use a go.work file, set GOWORK=off.

Also, ensure that 'go env GOROOT' shows the root of this Go source
tree. Otherwise, the results are undefined. It's recommended to build
Go from source and use that 'go' binary to update its source tree.

Requirements may be added, updated, and removed with 'go get'.
The vendor directory may be updated with 'go mod vendor'.
A typical sequence might be:

    cd src  # or src/cmd
    go get golang.org/x/net@master
    go mod tidy
    go mod vendor

Use caution when passing '-u' to 'go get'. The '-u' flag updates
modules providing all transitively imported packages, not only
the module providing the target package.

Note that 'go mod vendor' only copies packages that are transitively
imported by packages in the current module. If a new package is needed,
it should be imported before running 'go mod vendor'.