[net] xsrf: sha1 -> sha256

[今も元気ハツラツ太郎 (Gerrit)]

今も元気ハツラツ太郎 has uploaded the change for review

Commit message

xsrf: sha1 -> sha256

Change-Id: Ib257b3602816b642b3f8f6c48af697c17f87ad19

Change diff

diff --git a/xsrftoken/xsrf.go b/xsrftoken/xsrf.go
index e808e6d..dc28254 100644
--- a/xsrftoken/xsrf.go
+++ b/xsrftoken/xsrf.go
@@ -7,7 +7,7 @@
 
 import (
 	"crypto/hmac"
-	"crypto/sha1"
+	"crypto/sha256"
 	"crypto/subtle"
 	"encoding/base64"
 	"fmt"
@@ -42,7 +42,7 @@
 	// Round time up and convert to milliseconds.
 	milliTime := (now.UnixNano() + 1e6 - 1) / 1e6
 
-	h := hmac.New(sha1.New, []byte(key))
+	h := hmac.New(sha256.New, []byte(key))
 	fmt.Fprintf(h, "%s:%s:%d", clean(userID), clean(actionID), milliTime)
 
 	// Get the no padding base64 string.

Change information

Files:

• M xsrftoken/xsrf.go

Change size: XS

Delta: 1 file changed, 2 insertions(+), 2 deletions(-)

Open in Gerrit

Related details

Attention set is empty

Submit Requirements:

• Code-Review
• No-Unresolved-Comments
• Review-Enforcement
• TryBots-Pass

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

Gerrit-MessageType: newchange

Gerrit-Project: net

Gerrit-Branch: master

Gerrit-Change-Id: Ib257b3602816b642b3f8f6c48af697c17f87ad19

Gerrit-Change-Number: 711400

Gerrit-PatchSet: 1

Gerrit-Owner: 今も元気ハツラツ太郎 <haturatu...@gmail.com>

[Gopher Robot (Gerrit)]

Message from Gopher Robot

Congratulations on opening your first change. Thank you for your contribution!

Next steps:
A maintainer will review your change and provide feedback. See
https://go.dev/doc/contribute#review for more info and tips to get your
patch through code review.

Most changes in the Go project go through a few rounds of revision. This can be
surprising to people new to the project. The careful, iterative review process
is our way of helping mentor contributors and ensuring that their contributions
have a lasting impact.

During May-July and Nov-Jan the Go project is in a code freeze, during which
little code gets reviewed or merged. If a reviewer responds with a comment like
R=go1.11 or adds a tag like "wait-release", it means that this CL will be
reviewed as part of the next development cycle. See https://go.dev/s/release
for more details.

Open in Gerrit

Related details

Attention set is empty

Submit Requirements:

• Code-Review
• No-Unresolved-Comments
• Review-Enforcement
• TryBots-Pass

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

Gerrit-MessageType: comment

Gerrit-Project: net

Gerrit-Branch: master

Gerrit-Change-Id: Ib257b3602816b642b3f8f6c48af697c17f87ad19

Gerrit-Change-Number: 711400

Gerrit-PatchSet: 1

Gerrit-Owner: 今も元気ハツラツ太郎 <haturatu...@gmail.com>

Gerrit-CC: Gopher Robot <go...@golang.org>

Gerrit-Comment-Date: Mon, 13 Oct 2025 18:46:21 +0000

Gerrit-HasComments: No

Gerrit-Has-Labels: No

[今も元気ハツラツ太郎 (Gerrit)]

今も元気ハツラツ太郎 uploaded new patchset

今も元気ハツラツ太郎 uploaded patch set #2 to this change.

Open in Gerrit

Related details

Attention set is empty

Submit Requirements:

• Code-Review
• No-Unresolved-Comments
• Review-Enforcement
• TryBots-Pass

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

Gerrit-MessageType: newpatchset

Gerrit-Project: net

Gerrit-Branch: master

Gerrit-Change-Id: Ib257b3602816b642b3f8f6c48af697c17f87ad19

Gerrit-Change-Number: 711400

Gerrit-PatchSet: 2

[今も元気ハツラツ太郎 (Gerrit)]

Attention needed from Damien Neil and Ian Lance Taylor

今も元気ハツラツ太郎 uploaded new patchset

今も元気ハツラツ太郎 uploaded patch set #3 to this change.

Open in Gerrit

Related details

Attention is currently required from:

• Damien Neil
• Ian Lance Taylor

Submit Requirements:

• Code-Review
• No-Unresolved-Comments
• Review-Enforcement
• TryBots-Pass

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

Gerrit-MessageType: newpatchset

Gerrit-Project: net

Gerrit-Branch: master

Gerrit-Change-Id: Ib257b3602816b642b3f8f6c48af697c17f87ad19

Gerrit-Change-Number: 711400

Gerrit-PatchSet: 3

Gerrit-Owner: 今も元気ハツラツ太郎 <haturatu...@gmail.com>

Gerrit-Reviewer: Damien Neil <dn...@google.com>

Gerrit-Reviewer: Ian Lance Taylor <ia...@golang.org>

Gerrit-CC: Gopher Robot <go...@golang.org>

Gerrit-Attention: Ian Lance Taylor <ia...@golang.org>

Gerrit-Attention: Damien Neil <dn...@google.com>

[Sean Liao (Gerrit)]

Attention needed from Damien Neil, Ian Lance Taylor and 今も元気ハツラツ太郎

Sean Liao added 1 comment

Patchset-level comments

File-level comment, Patchset 3 (Latest):

Sean Liao . unresolved

This is potentially disruptive during a gradual rollout as you may have old tokens that can't be validated by the new version, or the inverse.

I think we should instead aim to point users to the new https://pkg.go.dev/net/http#CrossOriginProtection

Open in Gerrit

Related details

Attention is currently required from:

• Damien Neil
• Ian Lance Taylor

• 今も元気ハツラツ太郎

Submit Requirements:

• Code-Review

• No-Unresolved-Comments

• Review-Enforcement
• TryBots-Pass

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

Gerrit-MessageType: comment

Gerrit-Project: net

Gerrit-Branch: master

Gerrit-Change-Id: Ib257b3602816b642b3f8f6c48af697c17f87ad19

Gerrit-Change-Number: 711400

Gerrit-PatchSet: 3

Gerrit-Owner: 今も元気ハツラツ太郎 <haturatu...@gmail.com>

Gerrit-Reviewer: Damien Neil <dn...@google.com>

Gerrit-Reviewer: Ian Lance Taylor <ia...@golang.org>

Gerrit-CC: Gopher Robot <go...@golang.org>

Gerrit-CC: Sean Liao <se...@liao.dev>

Gerrit-Attention: Ian Lance Taylor <ia...@golang.org>

Gerrit-Attention: 今も元気ハツラツ太郎 <haturatu...@gmail.com>

Gerrit-Attention: Damien Neil <dn...@google.com>

Gerrit-Comment-Date: Wed, 15 Oct 2025 20:20:47 +0000

Gerrit-HasComments: Yes

Gerrit-Has-Labels: No