Cypherpunks repositories - gostls13.git/commit

author	Roland Shoemaker <bracewell@google.com>
	Mon, 9 Dec 2024 19:31:22 +0000 (11:31 -0800)
committer	Gopher Robot <gobot@golang.org>
	Thu, 16 Jan 2025 19:00:37 +0000 (11:00 -0800)
commit	fdb8413fe588ec6dc31f1deaf43eb7202a76bb79
tree	982c42c0d3d58369b15f9774df3976e06af542a2	tree
parent	1dde0b484489653136a54df9932cc8d1c0fb6d1b	commit \| diff

[release-branch.go1.23] crypto/x509: properly check for IPv6 hosts in URIs

When checking URI constraints, use netip.ParseAddr, which understands
zones, unlike net.ParseIP which chokes on them. This prevents zone IDs
from mistakenly satisfying URI constraints.

Thanks to Juho Forsén of Mattermost for reporting this issue.

For #71156
Fixes #71208
Fixes CVE-2024-45341

Change-Id: Iecac2529f3605382d257996e0fb6d6983547e400
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1700
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
(cherry picked from commit 22ca55d396ba801e6ae9b2bd67a059fcb30562fd)
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1762
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/643103
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Michael Knyszek <mknyszek@google.com>
Reviewed-by: Michael Pratt <mpratt@google.com>

src/crypto/x509/name_constraints_test.go		diff \| blob \| history
src/crypto/x509/verify.go		diff \| blob \| history