]> Cypherpunks repositories - gostls13.git/commit
projects / gostls13.git / commit
summary | shortlog | log | commit | commitdiff | tree
(parent: 6783377) | patch
crypto/x509: properly check for IPv6 hosts in URIs
authorRoland Shoemaker <bracewell@google.com>
Mon, 9 Dec 2024 19:31:22 +0000 (11:31 -0800)
committerGopher Robot <gobot@golang.org>
Thu, 16 Jan 2025 18:58:56 +0000 (10:58 -0800)
commit2b2314e9f6103de322b2e247387c8b01fd0cd5a4
treee9b1ac2b3730bb45602c9f754edd9115e68a2355tree
parent6783377295e0878aa3ad821eefe3d7879064df6dcommit | diff
crypto/x509: properly check for IPv6 hosts in URIs

When checking URI constraints, use netip.ParseAddr, which understands
zones, unlike net.ParseIP which chokes on them. This prevents zone IDs
from mistakenly satisfying URI constraints.

Thanks to Juho Forsén of Mattermost for reporting this issue.

Fixes #71156
Fixes CVE-2024-45341

Change-Id: Iecac2529f3605382d257996e0fb6d6983547e400
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1700
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/643096
Reviewed-by: Michael Pratt <mpratt@google.com>
Auto-Submit: Michael Knyszek <mknyszek@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
src/crypto/x509/name_constraints_test.go diff | blob | history
src/crypto/x509/verify.go diff | blob | history
Go GOST TLS 1.3