[go/release-branch.go1.24] [release-branch.go1.24] net/url: enforce stricter parsing of bracketed IPv6 hostnames
1 view
Skip to first unread message
Gopher Robot (Gerrit)
Oct 7, 2025, 2:00:47 PM (18 hours ago) Oct 7
to Michael Pratt, Ethan Lee, goph...@pubsubhelper.golang.org, golang-...@googlegroups.com, Carlos Amedee, Go LUCI, golang-co...@googlegroups.com
Gopher Robot submitted the change![]( "Open in Gerrit")
Change information
Commit message:
[release-branch.go1.24] net/url: enforce stricter parsing of bracketed IPv6 hostnames
- Previously, url.Parse did not enforce validation of hostnames within
square brackets.
- RFC 3986 stipulates that only IPv6 hostnames can be embedded within
square brackets in a URL.
- Now, the parsing logic should strictly enforce that only IPv6
hostnames can be resolved when in square brackets. IPv4, IPv4-mapped
addresses and other input will be rejected.
- Update url_test to add test cases that cover the above scenarios.
Thanks to Enze Wang, Jingcheng Yang and Zehui Miao of Tsinghua
University for reporting this issue.
Fixes CVE-2025-47912
Fixes #75678
Fixes #75712
Change-Id: Iaa41432bf0ee86de95a39a03adae5729e4deb46c
Reviewed-by: Damien Neil <dn...@google.com>
Reviewed-by: Roland Shoemaker <brac...@google.com>
Reviewed-by: Nicholas Husin <hu...@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/709838
TryBot-Bypass: Michael Pratt <mpr...@google.com>
Reviewed-by: Carlos Amedee <car...@golang.org>
Auto-Submit: Michael Pratt <mpr...@google.com>
Files:
- M src/go/build/deps_test.go
- M src/net/url/url.go
- M src/net/url/url_test.go
Change size: M
Delta: 3 files changed, 77 insertions(+), 14 deletions(-)
Branch: refs/heads/release-branch.go1.24
Submit Requirements:
Code-Review: +2 by Carlos Amedee
TryBots-Pass: TryBot-Bypass+1 by Michael Pratt
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Gopher Robot (Gerrit)
Oct 7, 2025, 2:02:17 PM (18 hours ago) Oct 7
to Michael Pratt, Ethan Lee, goph...@pubsubhelper.golang.org, golang-...@googlegroups.com, Carlos Amedee, golang-co...@googlegroups.com
Gopher Robot submitted the change![]( "Open in Gerrit")
Change information
Commit message:
[release-branch.go1.25] net/url: enforce stricter parsing of bracketed IPv6 hostnames
- Previously, url.Parse did not enforce validation of hostnames within
square brackets.
- RFC 3986 stipulates that only IPv6 hostnames can be embedded within
square brackets in a URL.
- Now, the parsing logic should strictly enforce that only IPv6
hostnames can be resolved when in square brackets. IPv4, IPv4-mapped
addresses and other input will be rejected.
- Update url_test to add test cases that cover the above scenarios.
Thanks to Enze Wang, Jingcheng Yang and Zehui Miao of Tsinghua
University for reporting this issue.
Fixes CVE-2025-47912
For #75678
Fixes #75713
Change-Id: Iaa41432bf0ee86de95a39a03adae5729e4deb46c
Reviewed-by: Damien Neil <dn...@google.com>
Reviewed-by: Roland Shoemaker <brac...@google.com>
Commit-Queue: Roland Shoemaker <brac...@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/709847
TryBot-Bypass: Michael Pratt <mpr...@google.com>
Auto-Submit: Michael Pratt <mpr...@google.com>
Reviewed-by: Carlos Amedee <car...@golang.org>
Files:
- M src/go/build/deps_test.go
- M src/net/url/url.go
- M src/net/url/url_test.go
Change size: M
Delta: 3 files changed, 77 insertions(+), 14 deletions(-)
Branch: refs/heads/release-branch.go1.25
Submit Requirements:
Code-Review: +2 by Carlos Amedee
TryBots-Pass: TryBot-Bypass+1 by Michael Pratt
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Gopher Robot (Gerrit)
Oct 7, 2025, 3:46:29 PM (16 hours ago) Oct 7
to Michael Pratt, Ethan Lee, goph...@pubsubhelper.golang.org, golang-...@googlegroups.com, Carlos Amedee, Go LUCI, golang-co...@googlegroups.com
Gopher Robot submitted the change![]( "Open in Gerrit")
Change information
Commit message:
net/url: enforce stricter parsing of bracketed IPv6 hostnames
- Previously, url.Parse did not enforce validation of hostnames within
square brackets.
- RFC 3986 stipulates that only IPv6 hostnames can be embedded within
square brackets in a URL.
- Now, the parsing logic should strictly enforce that only IPv6
hostnames can be resolved when in square brackets. IPv4, IPv4-mapped
addresses and other input will be rejected.
- Update url_test to add test cases that cover the above scenarios.
Thanks to Enze Wang, Jingcheng Yang and Zehui Miao of Tsinghua
University for reporting this issue.
Fixes CVE-2025-47912
Fixes #75678
Change-Id: Iaa41432bf0ee86de95a39a03adae5729e4deb46c
Reviewed-by: Damien Neil <dn...@google.com>
Reviewed-by: Roland Shoemaker <brac...@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/709857
TryBot-Bypass: Michael Pratt <mpr...@google.com>
Reviewed-by: Carlos Amedee <car...@golang.org>
Auto-Submit: Michael Pratt <mpr...@google.com>
Files:
- M src/go/build/deps_test.go
- M src/net/url/url.go
- M src/net/url/url_test.go
Change size: M
Delta: 3 files changed, 77 insertions(+), 14 deletions(-)
Branch: refs/heads/master
Submit Requirements:
Code-Review: +2 by Carlos Amedee
TryBots-Pass: LUCI-TryBot-Result-1 by Go LUCI, TryBot-Bypass+1 by Michael Pratt
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Reply all
Reply to author
Forward
0 new messages