bugfix: fix failure of net/http unit test and enable go test

2024-03-27 13:35:43 +08:00 · 2024-03-27 13:35:43 +08:00 · 2bfc2be1a3
commit 2bfc2be1a3
parent 34dafd6581
3 changed files with 185 additions and 30 deletions
--- a/0058-release-branch.go1.21-html-template-escape-additiona.patch
+++ b/0058-release-branch.go1.21-html-template-escape-additiona.patch
@ -1,13 +1,22 @@
-From d4653b9d8b610a6aaad084a4bffd6eccea993f6f Mon Sep 17 00:00:00 2001
+From d0be7ed96a58e63f8d06efd6957de548ec531234 Mon Sep 17 00:00:00 2001
 From: Roland Shoemaker <roland@golang.org>
-Date: Wed, 14 Feb 2024 17:18:36 -0800
+Date: Thu, 15 Feb 2024 09:18:36 +0800
-Subject: [PATCH 2/4] [release-branch.go1.21] html/template: escape additional
+Subject: [PATCH 3/3] [Backport] html/template: escape additional tokens in
- tokens in MarshalJSON errors
+ MarshalJSON errors
 Offering: Cloud Core Network
 CVE: CVE-2024-24785
 Reference: https://go-review.googlesource.com/c/go/+/567515
 Escape "</script" and "<!--" in errors returned from MarshalJSON errors
 when attempting to marshal types in script blocks. This prevents any
 user controlled content from prematurely terminating the script block.
 Note: The upstream does not submit this change to go1.17 according to the rules of MinorReleases.
 Corego3.x are based on go1.17.8. Therefore, it need to submit the change to corego3.x.
 Edited-by: machangwang m00509938
 Updates #65697
 Fixes #65968
@ -18,13 +27,17 @@ Reviewed-by: Damien Neil <dneil@google.com>
 (cherry picked from commit ccbc725f2d678255df1bd326fa511a492aa3a0aa)
 Reviewed-on: https://go-review.googlesource.com/c/go/+/567515
 Reviewed-by: Carlos Amedee <carlos@golang.org>
 Signed-off-by: Ma Chang Wang machangwang@huawei.com
 Conflict:no
 Reference:https://go-review.googlesource.com/c/go/+/567515
 ---
 src/html/template/js.go      | 22 ++++++++-
 src/html/template/js_test.go | 96 ++++++++++++++++++++----------------
 2 files changed, 74 insertions(+), 44 deletions(-)
 diff --git a/src/html/template/js.go b/src/html/template/js.go
-index 35994f076eb..4d3b25d088c 100644
+index 35994f076e..4d3b25d088 100644
 --- a/src/html/template/js.go
 +++ b/src/html/template/js.go
@@ -171,13 +171,31 @@ func jsValEscaper(args ...interface{}) string {
@ -62,7 +75,7 @@ index 35994f076eb..4d3b25d088c 100644
 	// TODO: maybe post-process output to prevent it from containing
 diff --git a/src/html/template/js_test.go b/src/html/template/js_test.go
-index de9ef284106..0ad7b49d646 100644
+index de9ef28410..26d6dcd92c 100644
 --- a/src/html/template/js_test.go
 +++ b/src/html/template/js_test.go
@@ -6,6 +6,7 @@ package template
@ -87,7 +100,7 @@ index de9ef284106..0ad7b49d646 100644
 	tests := []struct {
 -		x  interface{}
 -		js string
-+		x        any
+		x        interface{}
 +		js       string
 +		skipNest bool
 	}{
@ -165,8 +178,8 @@ index de9ef284106..0ad7b49d646 100644
 -		{nil, " null "},
 +		{"\t\x0b", `"\t\u000b"`, false},
 +		{struct{ X, Y int }{1, 2}, `{"X":1,"Y":2}`, false},
-+		{[]any{}, "[]", false},
+		{[]interface{}{}, "[]", false},
-+		{[]any{42, "foo", nil}, `[42,"foo",null]`, false},
+		{[]interface{}{42, "foo", nil}, `[42,"foo",null]`, false},
 +		{[]string{"<!--", "</script>", "-->"}, `["\u003c!--","\u003c/script\u003e","--\u003e"]`, false},
 +		{"<!--", `"\u003c!--"`, false},
 +		{"-->", `"--\u003e"`, false},
--- a/0060-release-branch.go1.21-net-http-net-http-cookiejar-av.patch
+++ b/0060-release-branch.go1.21-net-http-net-http-cookiejar-av.patch
@ -1,8 +1,12 @@
-From 3d8f3225528f917733569e0ea168581fe8bc1bcc Mon Sep 17 00:00:00 2001
+From d4cc4b6c57ee6749d9c813f83982218d78626ad5 Mon Sep 17 00:00:00 2001
-From: Damien Neil <dneil@google.com>
+From: Gustavo Falco <comfortablynumb84@gmail.com>
-Date: Thu, 11 Jan 2024 11:31:57 -0800
+Date: Sun, 11 Dec 2022 02:39:20 +0000
-Subject: [PATCH 4/4] [release-branch.go1.21] net/http, net/http/cookiejar:
+Subject: [PATCH 1/3] [Backport] net/http, net/http/cookiejar: avoid subdomain
- avoid subdomain matches on IPv6 zones
+ matches on IPv6 zones
 Offering: Cloud Core Network
 CVE: CVE-2023-45289
 Reference: https://go-review.googlesource.com/c/go/+/569340
 When deciding whether to forward cookies or sensitive headers
 across a redirect, do not attempt to interpret an IPv6 address
@ -16,31 +20,74 @@ of "www.example.com".
 Thanks to Juho Nurminen of Mattermost for reporting this issue.
 Note: The upstream does not submit this change to go1.17 according to the rules of MinorReleases.
 Corego3.x are based on go1.17.8. Therefore, it need to submit the change to corego3.x.
 Edited-by: zhaoshengwei z00581105
 Fixes CVE-2023-45289
-Fixes #65385
+Fixes #65065
 For #65065
 Change-Id: I8f463f59f0e700c8a18733d2b264a8bcb3a19599
 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2131938
 Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
 Reviewed-by: Roland Shoemaker <bracewell@google.com>
-Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2173775
+Reviewed-on: https://go-review.googlesource.com/c/go/+/569340
-Reviewed-by: Carlos Amedee <amedee@google.com>
+Reviewed-by: Damien Neil <dneil@google.com>
-Reviewed-on: https://go-review.googlesource.com/c/go/+/569239
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
 Reviewed-by: Carlos Amedee <carlos@golang.org>
 Auto-Submit: Michael Knyszek <mknyszek@google.com>
-TryBot-Bypass: Michael Knyszek <mknyszek@google.com>
+Signed-off-by: Zhao Sheng Wei zhaoshengwei@huawei.com
 [Backport] net/http: keep sensitive headers on redirects to the same host
 Offering: Cloud Core Network
 Reference: https://go-review.googlesource.com/c/go/+/424935
 Preserve sensitive headers on a redirect to a different port of the same host.
 Note: The upstream does not submit this change to go1.17 according to the rules of MinorReleases.
 Corego3.x are based on go1.17.8. Therefore, it need to submit the change to corego3.x.
 Edited-by: zhaoshengwei z00581105
 Fixes #35104
 Change-Id: I5ab57c414ce92a70e688ee684b9ff02fb062b3c6
 GitHub-Last-Rev: 8d53e71e2243c141d70d27a503d0f7e6dee64c3c
 GitHub-Pull-Request: golang/go#54539
 Reviewed-on: https://go-review.googlesource.com/c/go/+/424935
 TryBot-Result: Gopher Robot <gobot@golang.org>
 Reviewed-by: Cherry Mui <cherryyz@google.com>
 Reviewed-by: Damien Neil <dneil@google.com>
 Run-TryBot: Damien Neil <dneil@google.com>
 Signed-off-by: Zhao Sheng Wei zhaoshengwei@huawei.com
 Conflict:no
 Reference:https://go-review.googlesource.com/c/go/+/424935;https://go-review.googlesource.com/c/go/+/569340
 ---
- src/net/http/client.go             |  6 ++++++
+ src/net/http/client.go             | 10 ++++++++--
- src/net/http/client_test.go        |  1 +
+ src/net/http/client_test.go        | 30 +++++++++++++++++++++++++-----
 src/net/http/cookiejar/jar.go      |  7 +++++++
 src/net/http/cookiejar/jar_test.go | 10 ++++++++++
- 4 files changed, 24 insertions(+)
+ src/net/http/transport.go          | 10 +++++++---
 5 files changed, 57 insertions(+), 10 deletions(-)
 diff --git a/src/net/http/client.go b/src/net/http/client.go
-index 4d380c65db9..33a062aa922 100644
+index 4d380c65db..ac14071aee 100644
 --- a/src/net/http/client.go
 +++ b/src/net/http/client.go
@@ -1000,8 +1000,8 @@ func shouldCopyHeaderOnRedirect(headerKey string, initial, dest *url.URL) bool {
 		// directly, we don't know their scope, so we assume
 		// it's for *.domain.com.
 -		ihost := canonicalAddr(initial)
 -		dhost := canonicalAddr(dest)
 +		ihost := idnaASCIIFromURL(initial)
 +		dhost := idnaASCIIFromURL(dest)
 		return isDomainOrSubdomain(dhost, ihost)
 	}
 	// All other headers are copied:
@@ -1016,6 +1016,12 @@ func isDomainOrSubdomain(sub, parent string) bool {
 	if sub == parent {
 		return true
@ -55,19 +102,79 @@ index 4d380c65db9..33a062aa922 100644
 	// that means sub must end in "."+parent.
 	// Do it without allocating.
 diff --git a/src/net/http/client_test.go b/src/net/http/client_test.go
-index 01d605c3519..ea71dd23644 100644
+index 01d605c351..6c8d8558bb 100644
 --- a/src/net/http/client_test.go
 +++ b/src/net/http/client_test.go
-@@ -1702,6 +1702,7 @@ func TestShouldCopyHeaderOnRedirect(t *testing.T) {
+@@ -1465,6 +1465,9 @@ func TestClientRedirectResponseWithoutRequest(t *testing.T) {
 }
 // Issue 4800: copy (some) headers when Client follows a redirect.
 +// Issue 35104: Since both URLs have the same host (localhost)
 +// but different ports, sensitive headers like Cookie and Authorization
 +// are preserved.
 func TestClientCopyHeadersOnRedirect(t *testing.T) {
 	const (
 		ua   = "some-agent/1.2"
@@ -1477,6 +1480,8 @@ func TestClientCopyHeadersOnRedirect(t *testing.T) {
 			"X-Foo":           []string{xfoo},
 			"Referer":         []string{ts2URL},
 			"Accept-Encoding": []string{"gzip"},
 +			"Cookie":          []string{"foo=bar"},
 +			"Authorization":   []string{"secretpassword"},
 		}
 		if !reflect.DeepEqual(r.Header, want) {
 			t.Errorf("Request.Header = %#v; want %#v", r.Header, want)
@@ -1497,9 +1502,11 @@ func TestClientCopyHeadersOnRedirect(t *testing.T) {
 	c := ts1.Client()
 	c.CheckRedirect = func(r *Request, via []*Request) error {
 		want := Header{
 -			"User-Agent": []string{ua},
 -			"X-Foo":      []string{xfoo},
 -			"Referer":    []string{ts2URL},
 +			"User-Agent":    []string{ua},
 +			"X-Foo":         []string{xfoo},
 +			"Referer":       []string{ts2URL},
 +			"Cookie":        []string{"foo=bar"},
 +			"Authorization": []string{"secretpassword"},
 		}
 		if !reflect.DeepEqual(r.Header, want) {
 			t.Errorf("CheckRedirect Request.Header = %#v; want %#v", r.Header, want)
@@ -1701,18 +1708,31 @@ func TestShouldCopyHeaderOnRedirect(t *testing.T) {
 		{"cookie", "http://foo.com/", "http://bar.com/", false},
 		{"cookie2", "http://foo.com/", "http://bar.com/", false},
 		{"authorization", "http://foo.com/", "http://bar.com/", false},
 +		{"authorization", "http://foo.com/", "https://foo.com/", true},
 +		{"authorization", "http://foo.com:1234/", "http://foo.com:4321/", true},
 		{"www-authenticate", "http://foo.com/", "http://bar.com/", false},
 +		{"authorization", "http://foo.com/", "http://[::1%25.foo.com]/", false},
 		// But subdomains should work:
 		{"www-authenticate", "http://foo.com/", "http://foo.com/", true},
 		{"www-authenticate", "http://foo.com/", "http://sub.foo.com/", true},
 		{"www-authenticate", "http://foo.com/", "http://notfoo.com/", false},
 -		{"www-authenticate", "http://foo.com/", "https://foo.com/", false},
 +		{"www-authenticate", "http://foo.com/", "https://foo.com/", true},
 		{"www-authenticate", "http://foo.com:80/", "http://foo.com/", true},
 		{"www-authenticate", "http://foo.com:80/", "http://sub.foo.com/", true},
 		{"www-authenticate", "http://foo.com:443/", "https://foo.com/", true},
 		{"www-authenticate", "http://foo.com:443/", "https://sub.foo.com/", true},
 -		{"www-authenticate", "http://foo.com:1234/", "http://foo.com/", false},
 +		{"www-authenticate", "http://foo.com:1234/", "http://foo.com/", true},
 +
 +		{"authorization", "http://foo.com/", "http://foo.com/", true},
 +		{"authorization", "http://foo.com/", "http://sub.foo.com/", true},
 +		{"authorization", "http://foo.com/", "http://notfoo.com/", false},
 +		{"authorization", "http://foo.com/", "https://foo.com/", true},
 +		{"authorization", "http://foo.com:80/", "http://foo.com/", true},
 +		{"authorization", "http://foo.com:80/", "http://sub.foo.com/", true},
 +		{"authorization", "http://foo.com:443/", "https://foo.com/", true},
 +		{"authorization", "http://foo.com:443/", "https://sub.foo.com/", true},
 +		{"authorization", "http://foo.com:1234/", "http://foo.com/", true},
 	}
 	for i, tt := range tests {
 		u0, err := url.Parse(tt.initialURL)
 diff --git a/src/net/http/cookiejar/jar.go b/src/net/http/cookiejar/jar.go
-index e6583da7fe6..f2cf9c2d8de 100644
+index e6583da7fe..f2cf9c2d8d 100644
 --- a/src/net/http/cookiejar/jar.go
 +++ b/src/net/http/cookiejar/jar.go
@@ -362,6 +362,13 @@ func jarKey(host string, psl PublicSuffixList) string {
@ -85,7 +192,7 @@ index e6583da7fe6..f2cf9c2d8de 100644
 }
 diff --git a/src/net/http/cookiejar/jar_test.go b/src/net/http/cookiejar/jar_test.go
-index 47fb1abdaaf..fd8d40ed1b9 100644
+index 47fb1abdaa..fd8d40ed1b 100644
 --- a/src/net/http/cookiejar/jar_test.go
 +++ b/src/net/http/cookiejar/jar_test.go
@@ -251,6 +251,7 @@ var isIPTests = map[string]bool{
@ -112,6 +219,35 @@ index 47fb1abdaaf..fd8d40ed1b9 100644
 }
 func TestBasics(t *testing.T) {
 diff --git a/src/net/http/transport.go b/src/net/http/transport.go
 index 309194e8e5..6cf5e65276 100644
 --- a/src/net/http/transport.go
 +++ b/src/net/http/transport.go
@@ -2719,17 +2719,21 @@ var portMap = map[string]string{
 	"socks5": "1080",
 }
 -// canonicalAddr returns url.Host but always with a ":port" suffix
 -func canonicalAddr(url *url.URL) string {
 +func idnaASCIIFromURL(url *url.URL) string {
 	addr := url.Hostname()
 	if v, err := idnaASCII(addr); err == nil {
 		addr = v
 	}
 +	return addr
 +}
 +
 +// canonicalAddr returns url.Host but always with a ":port" suffix.
 +func canonicalAddr(url *url.URL) string {
 	port := url.Port()
 	if port == "" {
 		port = portMap[url.Scheme]
 	}
 -	return net.JoinHostPort(addr, port)
 +	return net.JoinHostPort(idnaASCIIFromURL(url), port)
 }
 // bodyEOFSignal is used by the HTTP/1 transport when reading response
 -- 
 2.33.0
--- a/golang.spec
+++ b/golang.spec
@ -63,7 +63,7 @@
 Name:           golang
 Version:        1.17.3
-Release:        28
+Release:        29
 Summary:        The Go Programming Language
 License:        BSD and Public Domain
 URL:            https://golang.org/
@ -403,7 +403,7 @@ export GO_TEST_TIMEOUT_SCALE=2
 %if %{fail_on_tests}
 echo tests ignored
 %else
-./run.bash --no-rebuild -v -v -v -k go_test:testing || :
+./run.bash --no-rebuild -v -k -run='!(archive/tar|go/build|cmd/link|cmd/nm|tyepparams|race|flag|cgo_stdio|cgo_life|cgo_errors|test:0_1|api)'
 %endif
 cd ..
@ -448,6 +448,12 @@ fi
 %files devel -f go-tests.list -f go-misc.list -f go-src.list
 %changelog
 * Wed Mar 27 2024 hanchao <hanchao63@huawei.com> - 1.17.3-29
 - Type:bugfix
 - CVE:
 - SUG:NA
 - DESC:fix failure of `net/http` unit test and enable go unit test
 * Fri Mar 15 2024 hanchao <hanchao63@huawei.com> - 1.17.3-28
 - Type:CVE
 - CVE:CVE-2024-24783,CVE-2024-24785,CVE-2023-45290,CVE-2023-45289