Cypherpunks repositories - gostls13.git/commit

author	Roland Shoemaker <bracewell@google.com>
	Mon, 9 Dec 2024 19:31:22 +0000 (11:31 -0800)
committer	Gopher Robot <gobot@golang.org>
	Thu, 16 Jan 2025 19:07:05 +0000 (11:07 -0800)
commit	19d21034157ba69d0f54318a9867d9b08730efcb
tree	82f85abcd32fb2ed3e382a49bf725a0b82a4870d	tree
parent	ae9996f96510b105f478a426cd83cfac7b83c4e3	commit \| diff

[release-branch.go1.22] crypto/x509: properly check for IPv6 hosts in URIs

When checking URI constraints, use netip.ParseAddr, which understands
zones, unlike net.ParseIP which chokes on them. This prevents zone IDs
from mistakenly satisfying URI constraints.

Thanks to Juho Forsén of Mattermost for reporting this issue.

For #71156
Fixes #71207
Fixes CVE-2024-45341

Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1700
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
Change-Id: I1d97723e0f29fcf1404fb868ba0495282da70f6e
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1780
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/643105
TryBot-Bypass: Michael Knyszek <mknyszek@google.com>
Reviewed-by: Michael Pratt <mpratt@google.com>
Auto-Submit: Michael Knyszek <mknyszek@google.com>

src/crypto/x509/name_constraints_test.go		diff \| blob \| history
src/crypto/x509/verify.go		diff \| blob \| history