chore: remove leftover tooling artifacts (watermark, changelog)
This commit is contained in:
Rodin
@@ -1,7 +0,0 @@
|
||||
{
|
||||
"source_repo": "golang/go",
|
||||
"last_digest_sha": "0e9a844b0d110deb6821df45b260332b923615f3",
|
||||
"last_digest_at": "2026-04-30T14:01:00Z",
|
||||
"last_refresh_sha": null,
|
||||
"last_refresh_at": null
|
||||
}
|
||||
@@ -1,91 +0,0 @@
|
||||
# Go Daily Digest — 2026-04-30
|
||||
|
||||
13 commits merged to master. Security-heavy day with 3 CVEs fixed.
|
||||
|
||||
## Security Fixes
|
||||
|
||||
### html/template: fix escaping of URLs in meta content attributes
|
||||
- **CVE:** CVE-2026-39823
|
||||
- **Issue:** [#78913](https://github.com/golang/go/issues/78913)
|
||||
- **Author:** Neal Patel
|
||||
- **Reviewed by:** Roland Shoemaker
|
||||
- **What:** Bypass of CVE-2026-27142 fix. WHATWG shared declarative refresh steps algorithm skips ASCII whitespace between `url` and `=` in meta content; escaper didn't account for that.
|
||||
- **Impact:** XSS via meta refresh redirect templates. Update if using html/template with meta redirects.
|
||||
|
||||
### html/template: fix escaper bypass via empty script type
|
||||
- **CVE:** CVE-2026-39826
|
||||
- **Issue:** [#78981](https://github.com/golang/go/issues/78981)
|
||||
- **Author:** Neal Patel
|
||||
- **Reviewed by:** Roland Shoemaker
|
||||
- **What:** `<script type="">`, `<script type=" ">`, and `<script type="\t">` execute as JavaScript per spec, but escaper treated them as non-JS.
|
||||
- **Impact:** XSS vector. Browser quirks continue to be security bugs.
|
||||
|
||||
### net/mail: fix quadratic consumePhrase behavior
|
||||
- **CVE:** CVE-2026-42499
|
||||
- **Issue:** [#78987](https://github.com/golang/go/issues/78987)
|
||||
- **Author:** Neal Patel
|
||||
- **Reviewed by:** Nicholas Husin
|
||||
- **What:** O(n²) string concatenation in email address parsing.
|
||||
- **Impact:** CPU exhaustion on untrusted email headers.
|
||||
|
||||
## Tooling
|
||||
|
||||
### cmd/go: set a HTTP user agent
|
||||
- **Author:** Sean Liao
|
||||
- **Issue:** [#78891](https://github.com/golang/go/issues/78891), Updates [#35699](https://github.com/golang/go/issues/35699)
|
||||
- **What:** cmd/go now sends a fixed user-agent string. Original proposal declined for privacy (no version info), but static identifier useful for module proxies/CDNs.
|
||||
|
||||
### cmd/go: add go1.24 requirement when running go get with tools
|
||||
- **Author:** Olivier Mengué
|
||||
- **Issue:** Fixes [#74739](https://github.com/golang/go/issues/74739)
|
||||
- **What:** Tool directives enforce minimum go1.24 in go.mod. Prevents confusing failures with older toolchains.
|
||||
|
||||
### cmd/go: loosen go work sync version requirements
|
||||
- **Author:** Michael Matloob
|
||||
- **Issue:** Fixes [#65363](https://github.com/golang/go/issues/65363)
|
||||
- **What:** Workspace replace directives could hide requirements causing conflicts during sync. Requirements are now additive; errors surfaced properly instead of silently dropped.
|
||||
|
||||
## Compiler & Linker
|
||||
|
||||
### cmd/compile, go/types: disable constant string size check
|
||||
- **Author:** Cherry Mui
|
||||
- **Issue:** Updates [#78346](https://github.com/golang/go/issues/78346)
|
||||
- **What:** Recently-added string constant size check eagerly constructed strings via constant.StringVal, causing massive memory usage with exponential doubling patterns. Rolled back pending lazy-length API.
|
||||
- **Lesson:** Performance-sensitive checks need lazy evaluation.
|
||||
|
||||
### cmd/link: make -f flag actually ignore version mismatch
|
||||
- **Author:** Cherry Mui
|
||||
- **What:** The -f flag was documented as "ignore version mismatch" but didn't. Now it does.
|
||||
|
||||
## Crypto
|
||||
|
||||
### crypto/fips140: add package docs
|
||||
- **Author:** Filippo Valsorda
|
||||
- **Issue:** Fixes [#77879](https://github.com/golang/go/issues/77879)
|
||||
- **What:** FIPS 140 package now has proper documentation.
|
||||
|
||||
### crypto/sha3: ensure unwrapped *sha3.Digest are usable
|
||||
- **Author:** Neal Patel
|
||||
- **Issue:** Updates [#75154](https://github.com/golang/go/issues/75154)
|
||||
|
||||
### crypto/mlkem: enrich DecapsulationKey768|1024 doc comments
|
||||
- **Author:** Neal Patel
|
||||
- **What:** Better docs for post-quantum ML-KEM decapsulation key types.
|
||||
|
||||
## Documentation
|
||||
|
||||
### os/signal: add Notify windows documentation
|
||||
- **Author:** Alex Brainman
|
||||
- **Issue:** Updates [#77076](https://github.com/golang/go/issues/77076)
|
||||
- **What:** Clarifies that only os.Interrupt is supported on Windows.
|
||||
|
||||
### encoding/json/jsontext: add TODO about removing Internal symbol
|
||||
- **Author:** Joe Tsai
|
||||
- **Issue:** Updates [#73435](https://github.com/golang/go/issues/73435)
|
||||
- **What:** Internal symbol is a hack for module-only visibility. TODO to replace with type aliases when pkgsite supports forwarded symbol docs.
|
||||
|
||||
## Patterns to Extract
|
||||
|
||||
- **Browser quirk security:** Any HTML spec edge case (whitespace handling, empty attributes) that browsers implement literally is a potential escaper bypass. The html/template package keeps getting hit by these.
|
||||
- **Lazy evaluation for safety checks:** When adding correctness checks to compilers, the check itself must not trigger the expensive operation it's guarding against (see constant string size check OOM).
|
||||
- **"Works as documented" audit:** The linker -f flag bug shows value in periodically verifying that documented behavior actually works. Fuzz the docs, not just the code.
|
||||
Reference in New Issue
Block a user