]> Cypherpunks repositories - gostls13.git/commit
projects / gostls13.git / commit
summary | shortlog | log | commit | commitdiff | tree
(parent: 4091800) | patch
[release-branch.go1.25] net/url: reject IPv6 literal not at start of host
authorIan Alexander <jitsu@google.com>
Wed, 28 Jan 2026 20:29:52 +0000 (15:29 -0500)
committerGopher Robot <gobot@golang.org>
Fri, 6 Mar 2026 00:15:25 +0000 (16:15 -0800)
commitd8174a9500d53784594b198f6195d1fae8dfe803
tree145633c05c1130e5ab5f95468f88d8f437ad733ctree
parent4091800393d254befde3770fd16f51200ebd5a3dcommit | diff
[release-branch.go1.25] net/url: reject IPv6 literal not at start of host

This change rejects IPv6 literals that do not appear at the start of the
host subcomponent of a URL.

For example:
  http://example.com[::1] -> rejects
  http://[::1]            -> accepts

Thanks to Masaki Hara (https://github.com/qnighy) of Wantedly.

Updates #77578
Fixes #77969
Fixes CVE-2026-25679

Change-Id: I7109031880758f7c1eb4eca513323328feace33c
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3400
Reviewed-by: Neal Patel <nealpatel@google.com>
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3642
Reviewed-on: https://go-review.googlesource.com/c/go/+/752100
Reviewed-by: Cherry Mui <cherryyz@google.com>
Auto-Submit: Gopher Robot <gobot@golang.org>
TryBot-Bypass: Gopher Robot <gobot@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
src/net/url/url.go diff | blob | history
src/net/url/url_test.go diff | blob | history
Go GOST TLS 1.3