Skip to content

[pull] master from golang:master#131

Merged
pull[bot] merged 7 commits into
trailofbits:masterfrom
golang:master
Jul 15, 2026
Merged

[pull] master from golang:master#131
pull[bot] merged 7 commits into
trailofbits:masterfrom
golang:master

Conversation

@pull

@pull pull Bot commented Jul 15, 2026

Copy link
Copy Markdown

See Commits and Changes for more details.


Created by pull[bot] (v2.0.0-alpha.4)

Can you help keep this open source service alive? 💖 Please sponsor : )

nicholashusin and others added 7 commits July 14, 2026 13:19
When a FileServer redirects to a canonical path, it uses relative
redirects, to ensure compatibility with StripPrefix. If the request path
contained escaped slashes (%2f), the relative redirect can be
misresolved because the client and server disagree on the path segments.

Since there is no generalized fix that works in all cases, return a 404
instead of redirecting when the request path contains escaped slashes.

For #80289

Change-Id: Ice139c4ed2ece221eb36225c7ddcd2fb6a6a6964
Reviewed-on: https://go-review.googlesource.com/c/go/+/799982
Commit-Queue: Nicholas Husin <nsh@golang.org>
Auto-Submit: Nicholas Husin <nsh@golang.org>
LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Nicholas Husin <husin@google.com>
Pull in the fix implemented in CL 800620.

Fixes #80363.

[git-generate]
updatestd -goroot=$(pwd) -branch=internal-branch.go1.27-vendor

Change-Id: I1b4dcbccdaa22f0949edd9add26fae0a3ff5409a
Reviewed-on: https://go-review.googlesource.com/c/go/+/798502
Auto-Submit: Dmitri Shuralyov <dmitshur@golang.org>
LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Alan Donovan <adonovan@google.com>
Auto-Submit: Alan Donovan <adonovan@google.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Commit-Queue: Alan Donovan <adonovan@google.com>
Change-Id: I80de837203b6d35b303bf8127447d78f09f82c31
GitHub-Last-Rev: d6f1671
GitHub-Pull-Request: #79641
Reviewed-on: https://go-review.googlesource.com/c/go/+/782400
Reviewed-by: Sean Liao <sean@liao.dev>
Auto-Submit: Sean Liao <sean@liao.dev>
Reviewed-by: Mark Freeman <markfreeman@google.com>
Reviewed-by: Mateusz Poliwczak <mpoliwczak34@gmail.com>
LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Reviewed-by: David Chase <drchase@google.com>
Middleware layers might change a server Request's body,
wrapping it in some other type or replacing it entirely.

Remove various type assertions of a response.req.Body
to *body or *expectContinueReader. Instead, add fields
on the response that track the original body.

Add a test demonstrating one bug which this fixes:
TestServerConnectionReuse/large_wrapped_body
previously failed because response.closedRequestBodyEarly
failed to recognize an early-closed request body when
the body of the Request provided to the handler was
modified.

This CL introduces a small behavioral change: When sending
a response to an HTTP/1 request, we attempt to consume
the request body before sending the response (except
when full duplex responses are enabled). When the request
body is larger than maxPostHandlerReadBytes,
we now make one attempt to drain it. Previously, we would
make one direct read from the Request.Body (possibly
replaced by milddleware), followed by a second read in
(*body).Close when cleaning up the request if the first
read failed to drain the body. We now call (*body).Close
in both places, which will perform the drain exactly once.

Change-Id: I0f9507c1bd4d24bfc80daf82c5fdb0746a6a6964
Reviewed-on: https://go-review.googlesource.com/c/go/+/794640
Reviewed-by: Nicholas Husin <nsh@golang.org>
LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Nicholas Husin <husin@google.com>
Add an example of using UnmmarshalDecode to unmarshal a stream of JSON
values.

This example is pretty much a straight port of
encoding/json.ExampleDecode.

Change-Id: I9625db144dcad658ac762646ffcc4f016a6a6964
Reviewed-on: https://go-review.googlesource.com/c/go/+/800640
LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Joseph Tsai <joetsai@digital-static.net>
Go 1.28 is in the process of being opened for development (to be
eventually released). This change marks the very beginning of its
development cycle, updating the Version value accordingly.

For #40705
For #79581

Change-Id: I5612e7ed16f64ef94fdfb53f0f6481e16a6a6964
Reviewed-on: https://go-review.googlesource.com/c/go/+/800721
LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Michael Matloob <matloob@google.com>
Reviewed-by: Michael Pratt <mpratt@google.com>
Following the "For the release team" steps in README:

	cd doc
	cp -R initial/ next
	$EDITOR next/1-intro.md

For #79581

Change-Id: I0e56193e2020d0d3804fde9ec6114bef6a6a6964
Reviewed-on: https://go-review.googlesource.com/c/go/+/800722
Reviewed-by: Michael Matloob <matloob@google.com>
Reviewed-by: Michael Pratt <mpratt@google.com>
LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
@pull pull Bot locked and limited conversation to collaborators Jul 15, 2026
@pull pull Bot added the ⤵️ pull label Jul 15, 2026
@pull
pull Bot merged commit c7749fc into trailofbits:master Jul 15, 2026
8 checks passed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

6 participants