mirror of https://github.com/golang/net.git synced 2026-04-01 02:47:08 +09:00

Go to file

Roland Shoemaker 59706cdaa8 html: impose open element stack size limit

The HTML specification contains a number of algorithms which are
quadratic in complexity by design. Instead of adding complicated
workarounds to prevent these cases from becoming extremely expensive in
pathological cases, we impose a limit of 512 to the size of the stack of
open elements. It is extremely unlikely that non-adversarial HTML
documents will ever hit this limit (but if we see cases of this, we may
want to make the limit configurable via a ParseOption).

Thanks to Guido Vranken and Jakub Ciolek for both independently
reporting this issue.

Fixes CVE-2025-47911
Fixes golang/go#75682

Change-Id: I890517b189af4ffbf427d25d3fde7ad7ec3509ad
Reviewed-on: https://go-review.googlesource.com/c/net/+/709876
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>

2025-10-07 11:18:01 -07:00

bpf

all: replace deprecated io/ioutil calls

2024-05-21 19:59:00 +00:00

context

context: add //go:fix inline annotation to Context et al

2025-09-04 09:58:34 -07:00

dict

all: fix a few function names on comments

2022-10-12 13:50:44 +00:00

dns/dnsmessage

all: replace deprecated io/ioutil calls

2024-05-21 19:59:00 +00:00

html

html: impose open element stack size limit

2025-10-07 11:18:01 -07:00

http

proxy, http/httpproxy: do not mismatch IPv6 zone ids against hosts

2025-03-04 11:00:06 -08:00

http2

http2: fix RFC 9218 write scheduler not being idempotent

2025-10-07 09:12:30 -07:00

icmp

all: update go directive to 1.18

2023-10-11 21:58:12 +00:00

idna

all: update go directive to 1.18

2023-10-11 21:58:12 +00:00

internal

internal/httpsfv: implement parsing support for date and display string

2025-10-02 12:44:41 -07:00

ipv4

all: replace deprecated io/ioutil calls

2024-05-21 19:59:00 +00:00

ipv6

all: replace deprecated io/ioutil calls

2024-05-21 19:59:00 +00:00

lif

all: update go directive to 1.18

2023-10-11 21:58:12 +00:00

nettest

all: fix some comments

2025-09-15 17:28:39 -07:00

netutil

all: correct typos in comments

2023-02-07 17:08:46 +00:00

proxy

proxy, http/httpproxy: do not mismatch IPv6 zone ids against hosts

2025-03-04 11:00:06 -08:00

publicsuffix

publicsuffix: regenerate table

2025-03-20 16:04:31 -07:00

quic

all: fix some comments

2025-09-15 17:28:39 -07:00

route

route: fix RTM_GET netmask parsing on Darwin

2025-02-10 12:16:25 -08:00

trace

trace: add missing td tag

2025-05-12 10:10:08 -07:00

webdav

webdav/internal/xml: use the built-in min function

2025-09-30 12:18:58 -07:00

websocket

websocket: re-recommend gorilla/websocket

2025-03-05 13:52:38 -08:00

xsrftoken

xsrftoken: create no padding base64 string by RawURLEncoding

2024-07-22 18:18:19 +00:00

.gitattributes

net: add .gitattributes (fixes windows build)

2014-12-23 17:05:08 +11:00

.gitignore

gitignore: remove obsolete reference to .hgignore in comment

2020-03-20 18:12:08 +00:00

codereview.cfg

net: add codereview.cfg

2015-03-18 17:04:12 +00:00

CONTRIBUTING.md

CONTRIBUTING.md: remove note about not accepting Pull Requests

2018-03-14 18:02:42 +00:00

go.mod

go.mod: update golang.org/x dependencies

2025-09-08 11:55:48 -07:00

go.sum

go.mod: update golang.org/x dependencies

2025-09-08 11:55:48 -07:00

LICENSE

LICENSE: update per Google Legal

2024-07-16 16:05:10 +00:00

PATENTS

…

README.md

README: don't recommend go get

2024-11-01 18:28:29 +00:00

README.md

Go Networking

This repository holds supplementary Go networking packages.

Report Issues / Send Patches

This repository uses Gerrit for code changes. To learn how to submit changes to this repository, see https://go.dev/doc/contribute.

The git repository is https://go.googlesource.com/net.

The main issue tracker for the net repository is located at https://go.dev/issues. Prefix your issue with "x/net:" in the subject line, so it is easy to find.