1.20.7

2023-08-07 16:01:31 +08:00 · 2023-08-07 16:01:31 +08:00 · c79107b0b3
commit c79107b0b3
parent 36208f464b
4 changed files with 24 additions and 265 deletions
--- a/0002-cmd-go-use-local-proxy-and-sumdb.patch
+++ b/0002-cmd-go-use-local-proxy-and-sumdb.patch
--- a/0002-release-branch.go1.19-net-http-validate-Host-header-.patch
+++ b/0002-release-branch.go1.19-net-http-validate-Host-header-.patch
@ -1,211 +0,0 @@
-From 312920c00aac9897b2a0693e752390b5b0711a5a Mon Sep 17 00:00:00 2001
-From: Damien Neil <dneil@google.com>
-Date: Wed, 28 Jun 2023 13:20:08 -0700
-Subject: [PATCH 1/4] [release-branch.go1.20] net/http: validate Host header
- before sending
-
-Verify that the Host header we send is valid.
-Avoids surprising behavior such as a Host of "go.dev\r\nX-Evil:oops"
-adding an X-Evil header to HTTP/1 requests.
-
-Add a test, skip the test for HTTP/2. HTTP/2 is not vulnerable to
-header injection in the way HTTP/1 is, but x/net/http2 doesn't validate
-the header and will go into a retry loop when the server rejects it.
-CL 506995 adds the necessary validation to x/net/http2.
-
-For #60374
-Fixes #61076
-For CVE-2023-29406
-
-Change-Id: I05cb6866a9bead043101954dfded199258c6dd04
-Reviewed-on: https://go-review.googlesource.com/c/go/+/506996
-Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
-TryBot-Result: Gopher Robot <gobot@golang.org>
-Run-TryBot: Damien Neil <dneil@google.com>
-(cherry picked from commit 499458f7ca04087958987a33c2703c3ef03e27e2)
-Reviewed-on: https://go-review.googlesource.com/c/go/+/507357
-Reviewed-by: Damien Neil <dneil@google.com>
-Run-TryBot: Tatiana Bradley <tatianabradley@google.com>
-Reviewed-by: Roland Shoemaker <roland@golang.org>
---
- src/net/http/http_test.go      | 29 ---------------------
- src/net/http/request.go        | 47 ++++++++--------------------------
- src/net/http/request_test.go   | 11 ++------
- src/net/http/transport_test.go | 19 ++++++++++++++
- 4 files changed, 31 insertions(+), 75 deletions(-)
-
-diff --git a/src/net/http/http_test.go b/src/net/http/http_test.go
-index 0d92fe5f96..f03272ab91 100644
--- a/src/net/http/http_test.go
-+++ b/src/net/http/http_test.go
-@@ -48,35 +48,6 @@ func TestForeachHeaderElement(t *testing.T) {
- 	}
- }
- 
-func TestCleanHost(t *testing.T) {
-	tests := []struct {
-		in, want string
-	}{
-		{"www.google.com", "www.google.com"},
-		{"www.google.com foo", "www.google.com"},
-		{"www.google.com/foo", "www.google.com"},
-		{" first character is a space", ""},
-		{"[1::6]:8080", "[1::6]:8080"},
-
-		// Punycode:
-		{"гофер.рф/foo", "xn--c1ae0ajs.xn--p1ai"},
-		{"bücher.de", "xn--bcher-kva.de"},
-		{"bücher.de:8080", "xn--bcher-kva.de:8080"},
-		// Verify we convert to lowercase before punycode:
-		{"BÜCHER.de", "xn--bcher-kva.de"},
-		{"BÜCHER.de:8080", "xn--bcher-kva.de:8080"},
-		// Verify we normalize to NFC before punycode:
-		{"gophér.nfc", "xn--gophr-esa.nfc"},            // NFC input; no work needed
-		{"goph\u0065\u0301r.nfd", "xn--gophr-esa.nfd"}, // NFD input
-	}
-	for _, tt := range tests {
-		got := cleanHost(tt.in)
-		if tt.want != got {
-			t.Errorf("cleanHost(%q) = %q, want %q", tt.in, got, tt.want)
-		}
-	}
-}
-
- // Test that cmd/go doesn't link in the HTTP server.
- //
- // This catches accidental dependencies between the HTTP transport and
-diff --git a/src/net/http/request.go b/src/net/http/request.go
-index a45c9e3d18..9c888b3768 100644
--- a/src/net/http/request.go
-+++ b/src/net/http/request.go
-@@ -17,7 +17,6 @@ import (
- 	"io"
- 	"mime"
- 	"mime/multipart"
-	"net"
- 	"net/http/httptrace"
- 	"net/http/internal/ascii"
- 	"net/textproto"
-@@ -27,6 +26,7 @@ import (
- 	"strings"
- 	"sync"
- 
-+	"golang.org/x/net/http/httpguts"
- 	"golang.org/x/net/idna"
- )
- 
-@@ -575,12 +575,19 @@ func (r *Request) write(w io.Writer, usingProxy bool, extraHeaders Header, waitF
- 	// is not given, use the host from the request URL.
- 	//
- 	// Clean the host, in case it arrives with unexpected stuff in it.
-	host := cleanHost(r.Host)
-+	host := r.Host
- 	if host == "" {
- 		if r.URL == nil {
- 			return errMissingHost
- 		}
-		host = cleanHost(r.URL.Host)
-+		host = r.URL.Host
-+	}
-+	host, err = httpguts.PunycodeHostPort(host)
-+	if err != nil {
-+		return err
-+	}
-+	if !httpguts.ValidHostHeader(host) {
-+		return errors.New("http: invalid Host header")
- 	}
- 
- 	// According to RFC 6874, an HTTP client, proxy, or other
-@@ -737,40 +744,6 @@ func idnaASCII(v string) (string, error) {
- 	return idna.Lookup.ToASCII(v)
- }
- 
-// cleanHost cleans up the host sent in request's Host header.
-//
-// It both strips anything after '/' or ' ', and puts the value
-// into Punycode form, if necessary.
-//
-// Ideally we'd clean the Host header according to the spec:
-//
-//	https://tools.ietf.org/html/rfc7230#section-5.4 (Host = uri-host [ ":" port ]")
-//	https://tools.ietf.org/html/rfc7230#section-2.7 (uri-host -> rfc3986's host)
-//	https://tools.ietf.org/html/rfc3986#section-3.2.2 (definition of host)
-//
-// But practically, what we are trying to avoid is the situation in
-// issue 11206, where a malformed Host header used in the proxy context
-// would create a bad request. So it is enough to just truncate at the
-// first offending character.
-func cleanHost(in string) string {
-	if i := strings.IndexAny(in, " /"); i != -1 {
-		in = in[:i]
-	}
-	host, port, err := net.SplitHostPort(in)
-	if err != nil { // input was just a host
-		a, err := idnaASCII(in)
-		if err != nil {
-			return in // garbage in, garbage out
-		}
-		return a
-	}
-	a, err := idnaASCII(host)
-	if err != nil {
-		return in // garbage in, garbage out
-	}
-	return net.JoinHostPort(a, port)
-}
-
- // removeZone removes IPv6 zone identifier from host.
- // E.g., "[fe80::1%en0]:8080" to "[fe80::1]:8080"
- func removeZone(host string) string {
-diff --git a/src/net/http/request_test.go b/src/net/http/request_test.go
-index 23e49d6b8e..86c68e470e 100644
--- a/src/net/http/request_test.go
-+++ b/src/net/http/request_test.go
-@@ -774,15 +774,8 @@ func TestRequestBadHost(t *testing.T) {
- 	}
- 	req.Host = "foo.com with spaces"
- 	req.URL.Host = "foo.com with spaces"
-	req.Write(logWrites{t, &got})
-	want := []string{
-		"GET /after HTTP/1.1\r\n",
-		"Host: foo.com\r\n",
-		"User-Agent: " + DefaultUserAgent + "\r\n",
-		"\r\n",
-	}
-	if !reflect.DeepEqual(got, want) {
-		t.Errorf("Writes = %q\n  Want = %q", got, want)
-+	if err := req.Write(logWrites{t, &got}); err == nil {
-+		t.Errorf("Writing request with invalid Host: succeded, want error")
- 	}
- }
- 
-diff --git a/src/net/http/transport_test.go b/src/net/http/transport_test.go
-index 245f73bc9f..f4896c5026 100644
--- a/src/net/http/transport_test.go
-+++ b/src/net/http/transport_test.go
-@@ -6654,3 +6654,22 @@ func testHandlerAbortRacesBodyRead(t *testing.T, mode testMode) {
- 	}
- 	wg.Wait()
- }
-+
-+func TestRequestSanitization(t *testing.T) { run(t, testRequestSanitization) }
-+func testRequestSanitization(t *testing.T, mode testMode) {
-+	if mode == http2Mode {
-+		// Remove this after updating x/net.
-+		t.Skip("https://go.dev/issue/60374 test fails when run with HTTP/2")
-+	}
-+	ts := newClientServerTest(t, mode, HandlerFunc(func(rw ResponseWriter, req *Request) {
-+		if h, ok := req.Header["X-Evil"]; ok {
-+			t.Errorf("request has X-Evil header: %q", h)
-+		}
-+	})).ts
-+	req, _ := NewRequest("GET", ts.URL, nil)
-+	req.Host = "go.dev\r\nX-Evil:evil"
-+	resp, _ := ts.Client().Do(req)
-+	if resp != nil {
-+		resp.Body.Close()
-+	}
-+}
-- 
-2.33.0
-
--- a/go1.20.7.src.tar.gz
+++ b/go1.20.7.src.tar.gz
--- a/golang.spec
+++ b/golang.spec
@ -59,8 +59,8 @@
 %endif

 Name:           golang
-Version:        1.20.5
-Release:        3
+Version:        1.20.7
+Release:        1
 Summary:        The Go Programming Language
 License:        BSD and Public Domain
 URL:            https://golang.org/
@ -91,51 +91,19 @@ Requires(post): %{_sbindir}/update-alternatives
 Requires(postun): %{_sbindir}/update-alternatives
 Recommends: glibc gcc git subversion

-# generated by:
-# go list -f {{.ImportPath}} ./src/vendor/... | sed "s:_$PWD/src/vendor/::g;s:_:.:;s:.*:Provides\: bundled(golang(&)):" && go list -f {{.ImportPath}} ./src/cmd/vendor/... | sed "s:_$PWD/src/cmd/vendor/::g;s:_:.:;s:.*:Provides\: bundled(golang(&)):"
-Provides: bundled(golang(golang.org/x/crypto/chacha20poly1305))
-Provides: bundled(golang(golang.org/x/crypto/cryptobyte))
-Provides: bundled(golang(golang.org/x/crypto/cryptobyte/asn1))
-Provides: bundled(golang(golang.org/x/crypto/curve25519))
-Provides: bundled(golang(golang.org/x/crypto/internal/chacha20))
-Provides: bundled(golang(golang.org/x/crypto/poly1305))
-Provides: bundled(golang(golang.org/x/net/dns/dnsmessage))
-Provides: bundled(golang(golang.org/x/net/http/httpguts))
-Provides: bundled(golang(golang.org/x/net/http/httpproxy))
-Provides: bundled(golang(golang.org/x/net/http2/hpack))
-Provides: bundled(golang(golang.org/x/net/idna))
-Provides: bundled(golang(golang.org/x/net/internal/nettest))
-Provides: bundled(golang(golang.org/x/net/nettest))
-Provides: bundled(golang(golang.org/x/text/secure))
-Provides: bundled(golang(golang.org/x/text/secure/bidirule))
-Provides: bundled(golang(golang.org/x/text/transform))
-Provides: bundled(golang(golang.org/x/text/unicode))
-Provides: bundled(golang(golang.org/x/text/unicode/bidi))
-Provides: bundled(golang(golang.org/x/text/unicode/norm))
-Provides: bundled(golang(github.com/google/pprof/driver))
-Provides: bundled(golang(github.com/google/pprof/internal/binutils))
-Provides: bundled(golang(github.com/google/pprof/internal/driver))
-Provides: bundled(golang(github.com/google/pprof/internal/elfexec))
-Provides: bundled(golang(github.com/google/pprof/internal/graph))
-Provides: bundled(golang(github.com/google/pprof/internal/measurement))
-Provides: bundled(golang(github.com/google/pprof/internal/plugin))
-Provides: bundled(golang(github.com/google/pprof/internal/proftest))
-Provides: bundled(golang(github.com/google/pprof/internal/report))
-Provides: bundled(golang(github.com/google/pprof/internal/symbolizer))
-Provides: bundled(golang(github.com/google/pprof/internal/symbolz))
-Provides: bundled(golang(github.com/google/pprof/profile))
-Provides: bundled(golang(github.com/google/pprof/third.party/d3))
-Provides: bundled(golang(github.com/google/pprof/third.party/d3flamegraph))
-Provides: bundled(golang(github.com/google/pprof/third.party/svgpan))
-Provides: bundled(golang(github.com/ianlancetaylor/demangle))
-Provides: bundled(golang(golang.org/x/arch/arm/armasm))
-Provides: bundled(golang(golang.org/x/arch/arm64/arm64asm))
-Provides: bundled(golang(golang.org/x/arch/ppc64/ppc64asm))
-Provides: bundled(golang(golang.org/x/arch/x86/x86asm))
-Provides: bundled(golang(golang.org/x/crypto/ssh/terminal))
-Provides: bundled(golang(golang.org/x/sys/unix))
-Provides: bundled(golang(golang.org/x/sys/windows))
-Provides: bundled(golang(golang.org/x/sys/windows/registry))
+# Bundled/Vendored provides generated by bundled-deps.sh based on the in tree module data
+# - in version filed substituted with . per versioning guidelines
+Provides: bundled(golang(github.com/google/pprof)) = 0.0.0.20221118152302.e6195bd50e26
+Provides: bundled(golang(github.com/ianlancetaylor/demangle)) = 0.0.0.20220319035150.800ac71e25c2
+Provides: bundled(golang(golang.org/x/arch)) = 0.1.1.0.20221116201807.1bb480fc256a
+Provides: bundled(golang(golang.org/x/crypto)) = 0.3.1.0.20221117191849.2c476679df9a
+Provides: bundled(golang(golang.org/x/mod)) = 0.7.0
+Provides: bundled(golang(golang.org/x/net)) = 0.4.1.0.20230214201333.88ed8ca3307d
+Provides: bundled(golang(golang.org/x/sync)) = 0.1.0
+Provides: bundled(golang(golang.org/x/sys)) = 0.3.0
+Provides: bundled(golang(golang.org/x/term)) = 0.2.0
+Provides: bundled(golang(golang.org/x/text)) = 0.5.0
+Provides: bundled(golang(golang.org/x/tools)) = 0.3.1.0.20230118190848.070db2996ebe

 Provides:       %{name}-bin = %{version}-%{release}
 Obsoletes:      %{name}-bin
@ -147,8 +115,7 @@ Obsoletes:      emacs-%{name} < 1.4
 Requires:       %{vendor}-rpm-config

 Patch6001:  0001-Enable-go-plugin-support-for-riscv64-based-on-work-b.patch
-Patch6002:  0002-release-branch.go1.19-net-http-validate-Host-header-.patch
-Patch6003:  0003-cmd-go-use-local-proxy-and-sumdb.patch
+Patch6002:  0002-cmd-go-use-local-proxy-and-sumdb.patch
 ExclusiveArch:  %{golang_arches}

 %description
@ -159,9 +126,9 @@ Summary:       Golang compiler helps and manual docs
 Requires:      %{name} = %{version}-%{release}
 BuildArch:     noarch
 Provides:      %{name}-docs = %{version}-%{release}
-Obsoletes:     %{name}-docs
+Obsoletes:     %{name}-docs < %{version}-%{release}
 Provides:      %{name}-shared = %{version}-%{release}
-Obsoletes:     %{name}-shared
+Obsoletes:     %{name}-shared < %{version}-%{release}

 %description   help
 %{summary}.
@ -171,11 +138,11 @@ Summary:       Golang compiler devel
 BuildArch:     noarch
 Requires:      %{name} = %{version}-%{release}
 Provides:      %{name}-src  = %{version}-%{release}
-Obsoletes:     %{name}-src
+Obsoletes:     %{name}-src < %{version}-%{release}
 Provides:      %{name}-tests = %{version}-%{release}
-Obsoletes:     %{name}-tests
+Obsoletes:     %{name}-tests < %{version}-%{release}
 Provides:      %{name}-misc = %{version}-%{release}
-Obsoletes:     %{name}-misc
+Obsoletes:     %{name}-misc < %{version}-%{release}
 Obsoletes:     %{name}-race = %{version}-%{release}

 %description   devel
@ -386,6 +353,9 @@ fi
 %files devel -f go-tests.list -f go-misc.list -f go-src.list

 %changelog
+* Mon Aug 7 2023 Funda Wang <fundawang@yeah.net> - 1.20.7-1
+- New version 1.20.7
+
 * Sun Jul 30 2023 Funda Wang <fundawang@yeah.net> - 1.20.5-3
 - Use local proxy and sumdb for speed up