chore: merge stable into main #35
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…r-Encoding headers Do not accept "Transfer-Encoding: \rchunked" as a valid TE header setting chunked encoding. Thanks to Zeyu Zhang (https://www.zeyu2001.com/) for identifying the issue. For #53188 For CVE-2022-1705 Fixes #53433 Change-Id: I1a16631425159267f2eca68056b057192a7edf6c Reviewed-on: https://go-review.googlesource.com/c/go/+/409874 Reviewed-by: Roland Shoemaker <[email protected]> Reviewed-by: Brad Fitzpatrick <[email protected]> (cherry picked from commit e5017a93fcde94f09836200bca55324af037ee5f) Reviewed-on: https://go-review.googlesource.com/c/go/+/415218 Reviewed-by: Dmitri Shuralyov <[email protected]> Run-TryBot: Dmitri Shuralyov <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]>
ReverseProxy makes a distinction between nil and zero-length header values. Avoid losing nil-ness when cloning a request. Thanks to Christian Mehlmauer for discovering this. For #53423 For CVE-2022-32148 Fixes #53621 Change-Id: Ice369cdb4712e2d62e25bb881b080847aa4801f5 Reviewed-on: https://go-review.googlesource.com/c/go/+/412857 Reviewed-by: Ian Lance Taylor <[email protected]> Reviewed-by: Brad Fitzpatrick <[email protected]> (cherry picked from commit b2cc0fecc2ccd80e6d5d16542cc684f97b3a9c8a) Reviewed-on: https://go-review.googlesource.com/c/go/+/415222 TryBot-Result: Gopher Robot <[email protected]> Run-TryBot: Michael Knyszek <[email protected]> Reviewed-by: Heschi Kreinick <[email protected]> Run-TryBot: Heschi Kreinick <[email protected]> Reviewed-by: Michael Knyszek <[email protected]>
Merge go1.18.5 into the stable v0.2.x train Part of ooni/probe#2223
Part of ooni/probe#2223 I'm reading the diff with respect to main and applying changes that should also be part of the stable branch.
Disable cmd/internal/moddeps test, since this update includes PRIVATE track fixes. Fixes CVE-2022-27664 Fixes #53977 For #54658. Change-Id: I84b0b8f61e49e15ef55ef8d738730107a3cf849b Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1554415 Reviewed-by: Roland Shoemaker <[email protected]> Reviewed-by: Tatiana Bradley <[email protected]> Reviewed-on: https://go-review.googlesource.com/c/go/+/428635 Reviewed-by: Tatiana Bradley <[email protected]> Run-TryBot: Michael Knyszek <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Carlos Amedee <[email protected]>
Merge go1.18.6 See ooni/probe#2256
…907013725-0a43f88f7ef0 Restore vendoring after go1.18.6 security release. For #53977 Change-Id: Ifff04582aa3d5fce40606265db42af3415c3c0b4 Reviewed-on: https://go-review.googlesource.com/c/go/+/429316 Reviewed-by: Carlos Amedee <[email protected]> Run-TryBot: Damien Neil <[email protected]> TryBot-Result: Gopher Robot <[email protected]>
…gling Query parameter smuggling occurs when a proxy's interpretation of query parameters differs from that of a downstream server. Change ReverseProxy to avoid forwarding ignored query parameters. Remove unparsable query parameters from the outbound request * if req.Form != nil after calling ReverseProxy.Director; and * before calling ReverseProxy.Rewrite. This change preserves the existing behavior of forwarding the raw query untouched if a Director hook does not parse the query by calling Request.ParseForm (possibly indirectly). Fixes #55842 For #54663 For CVE-2022-2880 Change-Id: If1621f6b0e73a49d79059dae9e6b256e0ff18ca9 Reviewed-on: https://go-review.googlesource.com/c/go/+/432976 Reviewed-by: Roland Shoemaker <[email protected]> Reviewed-by: Brad Fitzpatrick <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Run-TryBot: Damien Neil <[email protected]> (cherry picked from commit 7c84234142149bd24a4096c6cab691d3593f3431) Reviewed-on: https://go-review.googlesource.com/c/go/+/433695 Reviewed-by: Dmitri Shuralyov <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]>
… http.Dir on Windows
Do not permit access to Windows reserved device names (NUL, COM1, etc.)
via os.DirFS and http.Dir filesystems.
Avoid escapes from os.DirFS(`\`) on Windows. DirFS would join the
the root to the relative path with a path separator, making
os.DirFS(`\`).Open(`/foo/bar`) open the path `\\foo\bar`, which is
a UNC name. Not only does this not open the intended file, but permits
reference to any file on the system rather than only files on the
current drive.
Make os.DirFS("") invalid, with all file access failing. Previously,
a root of "" was interpreted as "/", which is surprising and probably
unintentional.
Fixes CVE-2022-41720.
Fixes #56694.
Change-Id: I275b5fa391e6ad7404309ea98ccc97405942e0f0
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1663832
Reviewed-by: Julie Qiu <[email protected]>
Reviewed-by: Tatiana Bradley <[email protected]>
Reviewed-on: https://go-review.googlesource.com/c/go/+/455360
Reviewed-by: Michael Pratt <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Run-TryBot: Jenny Rakoczy <[email protected]>
Disable cmd/internal/moddeps test, since this update includes PRIVATE track fixes. For #56350 For #57008 Fixes CVE-2022-41717 Change-Id: I31ebd2b9ae190ef6f7646187103ea1c8a713ff2e Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1663833 Reviewed-by: Tatiana Bradley <[email protected]> Reviewed-by: Julie Qiu <[email protected]> Reviewed-on: https://go-review.googlesource.com/c/go/+/455361 Run-TryBot: Jenny Rakoczy <[email protected]> Reviewed-by: Michael Pratt <[email protected]> TryBot-Result: Gopher Robot <[email protected]>
chore: update to go1.18.9
There's a need to write better integration tests for this repository. In particular: 1. we need to have confidence that the JA3 signature produced when using a uTLS client is different than the default one (i.e., can we be confident that it's possible to replace TLS?) 2. we need to have robust tests that do not depend onto external services but only use localhost, so they don't break often. Part of ooni/probe#2273
Conflicts: example/example-proxy/go.mod example/example-proxy/go.sum example/example-proxy/tls.go example/example-utls-with-dial/go.mod example/example-utls-with-dial/go.sum example/example-utls-with-dial/http.go example/example-utls-with-dial/tls.go example/example-utls/go.mod example/example-utls/go.sum example/example-utls/tls.go
This is now the diff between this branch and stable: ```diff diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml index 63678c6f56..dd75520d68 100644 --- a/.github/workflows/go.yml +++ b/.github/workflows/go.yml @@ -2,9 +2,9 @@ name: Go on: push: - branches: [ main, stable ] + branches: [ main ] pull_request: - branches: [ main, stable ] + branches: [ main ] jobs: diff --git a/README.md b/README.md index 8e75a9507f..18348d8322 100644 --- a/README.md +++ b/README.md @@ -223,14 +223,14 @@ minor changes (e.g., updating docs) directly on the `main` branch. ```bash set -ex -git checkout stable +git checkout main git remote add golang [email protected]:golang/go.git || git fetch golang -git branch -D golang-upstream golang-http-upstream merged-stable || true +git branch -D golang-upstream golang-http-upstream merged-main || true git fetch golang git checkout -b golang-upstream go1.18.9 git subtree split -P src/net/http/ -b golang-http-upstream -git checkout stable -git checkout -b merged-stable +git checkout main +git checkout -b merged-main git merge golang-http-upstream ``` ```
bassosimone
added a commit
to ooni/oocrypto
that referenced
this pull request
Jan 5, 2023
chore: merge stable into main Similar to ooni/oohttp#35 Part of ooni/probe#2273 You can check for yourself the diff between this branch and stable: https://github.com/ooni/oocrypto/compare/7020325..8dbbe22
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
We currently have two branches and two release trains. However, this is ~bad because it creates more maintenance burden. So, just reckon we're still using go1.18 and make sure main is basically stable with small changes.
So, https://github.com/ooni/oohttp/compare/6a399fd..899c58a contains this diff:
Part of ooni/probe#2273