gtsocial-umbx

Unnamed repository; edit this file 'description' to name the repository.
Log | Files | Refs | README | LICENSE

commit a9a43beca238516d5296829d13982e96ad7f8f2c
parent 18e7e0073224d9bf44c37341f8670c99886ef825
Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Date:   Tue,  8 Nov 2022 11:11:35 +0100

[chore]: Bump github.com/microcosm-cc/bluemonday from 1.0.20 to 1.0.21 (#1004)

Bumps [github.com/microcosm-cc/bluemonday](https://github.com/microcosm-cc/bluemonday) from 1.0.20 to 1.0.21.
- [Release notes](https://github.com/microcosm-cc/bluemonday/releases)
- [Commits](https://github.com/microcosm-cc/bluemonday/compare/v1.0.20...v1.0.21)

---
updated-dependencies:
- dependency-name: github.com/microcosm-cc/bluemonday
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Diffstat:
Mgo.mod | 4++--
Mgo.sum | 8++++----
Mvendor/github.com/microcosm-cc/bluemonday/doc.go | 30+++++++++++++++---------------
Mvendor/github.com/microcosm-cc/bluemonday/helpers.go | 9+++++----
Mvendor/github.com/microcosm-cc/bluemonday/sanitize.go | 2+-
Mvendor/golang.org/x/net/http2/h2c/h2c.go | 11+++++++++++
Mvendor/golang.org/x/net/http2/server.go | 50+++++++++++++++++++++++++++++---------------------
Mvendor/golang.org/x/net/http2/transport.go | 69+++++++++++++++++++++++++++++++++++++++++++++------------------------
Mvendor/golang.org/x/net/internal/socket/mmsghdr_unix.go | 18+++++++++++++++++-
Mvendor/golang.org/x/net/internal/socket/msghdr_linux.go | 3---
Mvendor/modules.txt | 4++--
11 files changed, 131 insertions(+), 77 deletions(-)

diff --git a/go.mod b/go.mod @@ -29,7 +29,7 @@ require ( github.com/h2non/filetype v1.1.3 github.com/jackc/pgconn v1.13.0 github.com/jackc/pgx/v4 v4.17.2 - github.com/microcosm-cc/bluemonday v1.0.20 + github.com/microcosm-cc/bluemonday v1.0.21 github.com/miekg/dns v1.1.50 github.com/minio/minio-go/v7 v7.0.43 github.com/mitchellh/mapstructure v1.5.0 @@ -50,7 +50,7 @@ require ( github.com/wagslane/go-password-validator v0.3.0 golang.org/x/crypto v0.0.0-20220829220503-c86fa9a7ed90 golang.org/x/exp v0.0.0-20220613132600-b0d781184e0d - golang.org/x/net v0.0.0-20220909164309-bea034e7d591 + golang.org/x/net v0.0.0-20221002022538-bcab6841153b golang.org/x/oauth2 v0.0.0-20220822191816-0ebed06d0094 golang.org/x/text v0.4.0 gopkg.in/mcuadros/go-syslog.v2 v2.3.0 diff --git a/go.sum b/go.sum @@ -451,8 +451,8 @@ github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27k github.com/mattn/go-isatty v0.0.16 h1:bq3VjFmv/sOjHtdEhmkEV4x1AJtvUvOJ2PFAZ5+peKQ= github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM= github.com/mattn/go-sqlite3 v2.0.3+incompatible h1:gXHsfypPkaMZrKbD5209QV9jbUTJKjyR5WD3HYQSd+U= -github.com/microcosm-cc/bluemonday v1.0.20 h1:flpzsq4KU3QIYAYGV/szUat7H+GPOXR0B2JU5A1Wp8Y= -github.com/microcosm-cc/bluemonday v1.0.20/go.mod h1:yfBmMi8mxvaZut3Yytv+jTXRY8mxyjJ0/kQBTElld50= +github.com/microcosm-cc/bluemonday v1.0.21 h1:dNH3e4PSyE4vNX+KlRGHT5KrSvjeUkoNPwEORjffHJg= +github.com/microcosm-cc/bluemonday v1.0.21/go.mod h1:ytNkv4RrDrLJ2pqlsSI46O6IVXmZOBBD4SaJyDwwTkM= github.com/miekg/dns v1.1.50 h1:DQUfb9uc6smULcREF09Uc+/Gd46YWqJd5DbpPE9xkcA= github.com/miekg/dns v1.1.50/go.mod h1:e3IlAVfNqAllflbibAZEWOXOQ+Ynzk/dDozDxY7XnME= github.com/minio/md5-simd v1.1.2 h1:Gdi1DZK69+ZVMoNHRXJyNcxrMA4dSxoYHZSQbirFg34= @@ -758,8 +758,8 @@ golang.org/x/net v0.0.0-20220425223048-2871e0cb64e4/go.mod h1:CfG3xpIq0wQ8r1q4Su golang.org/x/net v0.0.0-20220607020251-c690dde0001d/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.0.0-20220624214902-1bab6f366d9e/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.0.0-20220826154423-83b083e8dc8b/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk= -golang.org/x/net v0.0.0-20220909164309-bea034e7d591 h1:D0B/7al0LLrVC8aWF4+oxpv/m8bc7ViFfVS8/gXGdqI= -golang.org/x/net v0.0.0-20220909164309-bea034e7d591/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk= +golang.org/x/net v0.0.0-20221002022538-bcab6841153b h1:6e93nYa3hNqAvLr0pD4PN1fFS+gKzp2zAXqrnTCstqU= +golang.org/x/net v0.0.0-20221002022538-bcab6841153b/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= diff --git a/vendor/github.com/microcosm-cc/bluemonday/doc.go b/vendor/github.com/microcosm-cc/bluemonday/doc.go @@ -35,31 +35,31 @@ the allowlist will be stripped. The default bluemonday.UGCPolicy().Sanitize() turns this: - Hello <STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A CLASS=XSS></A>World + Hello <STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A CLASS=XSS></A>World Into the more harmless: - Hello World + Hello World And it turns this: - <a href="javascript:alert('XSS1')" onmouseover="alert('XSS2')">XSS<a> + <a href="javascript:alert('XSS1')" onmouseover="alert('XSS2')">XSS<a> Into this: - XSS + XSS Whilst still allowing this: - <a href="http://www.google.com/"> - <img src="https://ssl.gstatic.com/accounts/ui/logo_2x.png"/> - </a> + <a href="http://www.google.com/"> + <img src="https://ssl.gstatic.com/accounts/ui/logo_2x.png"/> + </a> To pass through mostly unaltered (it gained a rel="nofollow"): - <a href="http://www.google.com/" rel="nofollow"> - <img src="https://ssl.gstatic.com/accounts/ui/logo_2x.png"/> - </a> + <a href="http://www.google.com/" rel="nofollow"> + <img src="https://ssl.gstatic.com/accounts/ui/logo_2x.png"/> + </a> The primary purpose of bluemonday is to take potentially unsafe user generated content (from things like Markdown, HTML WYSIWYG tools, etc) and make it safe @@ -95,10 +95,10 @@ attributes are considered safe for your scenario. OWASP provide an XSS prevention cheat sheet ( https://www.google.com/search?q=xss+prevention+cheat+sheet ) to help explain the risks, but essentially: - 1. Avoid allowing anything other than plain HTML elements - 2. Avoid allowing `script`, `style`, `iframe`, `object`, `embed`, `base` - elements - 3. Avoid allowing anything other than plain HTML elements with simple - values that you can match to a regexp + 1. Avoid allowing anything other than plain HTML elements + 2. Avoid allowing `script`, `style`, `iframe`, `object`, `embed`, `base` + elements + 3. Avoid allowing anything other than plain HTML elements with simple + values that you can match to a regexp */ package bluemonday diff --git a/vendor/github.com/microcosm-cc/bluemonday/helpers.go b/vendor/github.com/microcosm-cc/bluemonday/helpers.go @@ -193,10 +193,11 @@ func (p *Policy) AllowImages() { // http://en.wikipedia.org/wiki/Data_URI_scheme // // Images must have a mimetype matching: -// image/gif -// image/jpeg -// image/png -// image/webp +// +// image/gif +// image/jpeg +// image/png +// image/webp // // NOTE: There is a potential security risk to allowing data URIs and you should // only permit them on content you already trust. diff --git a/vendor/github.com/microcosm-cc/bluemonday/sanitize.go b/vendor/github.com/microcosm-cc/bluemonday/sanitize.go @@ -440,8 +440,8 @@ func (p *Policy) sanitize(r io.Reader, w io.Writer) error { if _, err := buff.WriteString(" "); err != nil { return err } - break } + break } if !skipElementContent { if _, err := buff.WriteString(token.String()); err != nil { diff --git a/vendor/golang.org/x/net/http2/h2c/h2c.go b/vendor/golang.org/x/net/http2/h2c/h2c.go @@ -70,6 +70,15 @@ func NewHandler(h http.Handler, s *http2.Server) http.Handler { } } +// extractServer extracts existing http.Server instance from http.Request or create an empty http.Server +func extractServer(r *http.Request) *http.Server { + server, ok := r.Context().Value(http.ServerContextKey).(*http.Server) + if ok { + return server + } + return new(http.Server) +} + // ServeHTTP implement the h2c support that is enabled by h2c.GetH2CHandler. func (s h2cHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) { // Handle h2c with prior knowledge (RFC 7540 Section 3.4) @@ -87,6 +96,7 @@ func (s h2cHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) { defer conn.Close() s.s.ServeConn(conn, &http2.ServeConnOpts{ Context: r.Context(), + BaseConfig: extractServer(r), Handler: s.Handler, SawClientPreface: true, }) @@ -104,6 +114,7 @@ func (s h2cHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) { defer conn.Close() s.s.ServeConn(conn, &http2.ServeConnOpts{ Context: r.Context(), + BaseConfig: extractServer(r), Handler: s.Handler, UpgradeRequest: r, Settings: settings, diff --git a/vendor/golang.org/x/net/http2/server.go b/vendor/golang.org/x/net/http2/server.go @@ -143,7 +143,7 @@ type Server struct { } func (s *Server) initialConnRecvWindowSize() int32 { - if s.MaxUploadBufferPerConnection > initialWindowSize { + if s.MaxUploadBufferPerConnection >= initialWindowSize { return s.MaxUploadBufferPerConnection } return 1 << 20 @@ -869,9 +869,7 @@ func (sc *serverConn) serve() { // Each connection starts with initialWindowSize inflow tokens. // If a higher value is configured, we add more tokens. - if diff := sc.srv.initialConnRecvWindowSize() - initialWindowSize; diff > 0 { - sc.sendWindowUpdate(nil, int(diff)) - } + sc.sendWindowUpdate(nil) if err := sc.readPreface(); err != nil { sc.condlogf(err, "http2: server: error reading preface from client %v: %v", sc.conn.RemoteAddr(), err) @@ -1588,7 +1586,7 @@ func (sc *serverConn) closeStream(st *stream, err error) { if p := st.body; p != nil { // Return any buffered unread bytes worth of conn-level flow control. // See golang.org/issue/16481 - sc.sendWindowUpdate(nil, p.Len()) + sc.sendWindowUpdate(nil) p.CloseWithError(err) } @@ -1736,7 +1734,7 @@ func (sc *serverConn) processData(f *DataFrame) error { // sendWindowUpdate, which also schedules sending the // frames. sc.inflow.take(int32(f.Length)) - sc.sendWindowUpdate(nil, int(f.Length)) // conn-level + sc.sendWindowUpdate(nil) // conn-level if st != nil && st.resetQueued { // Already have a stream error in flight. Don't send another. @@ -1754,7 +1752,7 @@ func (sc *serverConn) processData(f *DataFrame) error { return sc.countError("data_flow", streamError(id, ErrCodeFlowControl)) } sc.inflow.take(int32(f.Length)) - sc.sendWindowUpdate(nil, int(f.Length)) // conn-level + sc.sendWindowUpdate(nil) // conn-level st.body.CloseWithError(fmt.Errorf("sender tried to send more than declared Content-Length of %d bytes", st.declBodyBytes)) // RFC 7540, sec 8.1.2.6: A request or response is also malformed if the @@ -1772,7 +1770,7 @@ func (sc *serverConn) processData(f *DataFrame) error { if len(data) > 0 { wrote, err := st.body.Write(data) if err != nil { - sc.sendWindowUpdate(nil, int(f.Length)-wrote) + sc.sendWindowUpdate32(nil, int32(f.Length)-int32(wrote)) return sc.countError("body_write_err", streamError(id, ErrCodeStreamClosed)) } if wrote != len(data) { @@ -2099,12 +2097,6 @@ func (sc *serverConn) newWriterAndRequest(st *stream, f *MetaHeadersFrame) (*res return nil, nil, sc.countError("bad_path_method", streamError(f.StreamID, ErrCodeProtocol)) } - bodyOpen := !f.StreamEnded() - if rp.method == "HEAD" && bodyOpen { - // HEAD requests can't have bodies - return nil, nil, sc.countError("head_body", streamError(f.StreamID, ErrCodeProtocol)) - } - rp.header = make(http.Header) for _, hf := range f.RegularFields() { rp.header.Add(sc.canonicalHeader(hf.Name), hf.Value) @@ -2117,6 +2109,7 @@ func (sc *serverConn) newWriterAndRequest(st *stream, f *MetaHeadersFrame) (*res if err != nil { return nil, nil, err } + bodyOpen := !f.StreamEnded() if bodyOpen { if vv, ok := rp.header["Content-Length"]; ok { if cl, err := strconv.ParseUint(vv[0], 10, 63); err == nil { @@ -2329,17 +2322,32 @@ func (sc *serverConn) noteBodyReadFromHandler(st *stream, n int, err error) { func (sc *serverConn) noteBodyRead(st *stream, n int) { sc.serveG.check() - sc.sendWindowUpdate(nil, n) // conn-level + sc.sendWindowUpdate(nil) // conn-level if st.state != stateHalfClosedRemote && st.state != stateClosed { // Don't send this WINDOW_UPDATE if the stream is closed // remotely. - sc.sendWindowUpdate(st, n) + sc.sendWindowUpdate(st) } } // st may be nil for conn-level -func (sc *serverConn) sendWindowUpdate(st *stream, n int) { +func (sc *serverConn) sendWindowUpdate(st *stream) { sc.serveG.check() + + var n int32 + if st == nil { + if avail, windowSize := sc.inflow.available(), sc.srv.initialConnRecvWindowSize(); avail > windowSize/2 { + return + } else { + n = windowSize - avail + } + } else { + if avail, windowSize := st.inflow.available(), sc.srv.initialStreamRecvWindowSize(); avail > windowSize/2 { + return + } else { + n = windowSize - avail + } + } // "The legal range for the increment to the flow control // window is 1 to 2^31-1 (2,147,483,647) octets." // A Go Read call on 64-bit machines could in theory read @@ -2505,6 +2513,10 @@ func (rws *responseWriterState) writeChunk(p []byte) (n int, err error) { rws.writeHeader(200) } + if rws.handlerDone { + rws.promoteUndeclaredTrailers() + } + isHeadResp := rws.req.Method == "HEAD" if !rws.sentHeader { rws.sentHeader = true @@ -2576,10 +2588,6 @@ func (rws *responseWriterState) writeChunk(p []byte) (n int, err error) { return 0, nil } - if rws.handlerDone { - rws.promoteUndeclaredTrailers() - } - // only send trailers if they have actually been defined by the // server handler. hasNonemptyTrailers := rws.hasNonemptyTrailers() diff --git a/vendor/golang.org/x/net/http2/transport.go b/vendor/golang.org/x/net/http2/transport.go @@ -258,7 +258,8 @@ func (t *Transport) initConnPool() { // HTTP/2 server. type ClientConn struct { t *Transport - tconn net.Conn // usually *tls.Conn, except specialized impls + tconn net.Conn // usually *tls.Conn, except specialized impls + tconnClosed bool tlsState *tls.ConnectionState // nil only for specialized impls reused uint32 // whether conn is being reused; atomic singleUse bool // whether being used for a single http.Request @@ -344,8 +345,8 @@ type clientStream struct { readErr error // sticky read error; owned by transportResponseBody.Read reqBody io.ReadCloser - reqBodyContentLength int64 // -1 means unknown - reqBodyClosed bool // body has been closed; guarded by cc.mu + reqBodyContentLength int64 // -1 means unknown + reqBodyClosed chan struct{} // guarded by cc.mu; non-nil on Close, closed when done // owned by writeRequest: sentEndStream bool // sent an END_STREAM flag to the peer @@ -385,9 +386,8 @@ func (cs *clientStream) abortStreamLocked(err error) { cs.abortErr = err close(cs.abort) }) - if cs.reqBody != nil && !cs.reqBodyClosed { - cs.reqBody.Close() - cs.reqBodyClosed = true + if cs.reqBody != nil { + cs.closeReqBodyLocked() } // TODO(dneil): Clean up tests where cs.cc.cond is nil. if cs.cc.cond != nil { @@ -400,13 +400,24 @@ func (cs *clientStream) abortRequestBodyWrite() { cc := cs.cc cc.mu.Lock() defer cc.mu.Unlock() - if cs.reqBody != nil && !cs.reqBodyClosed { - cs.reqBody.Close() - cs.reqBodyClosed = true + if cs.reqBody != nil && cs.reqBodyClosed == nil { + cs.closeReqBodyLocked() cc.cond.Broadcast() } } +func (cs *clientStream) closeReqBodyLocked() { + if cs.reqBodyClosed != nil { + return + } + cs.reqBodyClosed = make(chan struct{}) + reqBodyClosed := cs.reqBodyClosed + go func() { + cs.reqBody.Close() + close(reqBodyClosed) + }() +} + type stickyErrWriter struct { conn net.Conn timeout time.Duration @@ -921,10 +932,10 @@ func (cc *ClientConn) onIdleTimeout() { cc.closeIfIdle() } -func (cc *ClientConn) closeConn() error { +func (cc *ClientConn) closeConn() { t := time.AfterFunc(250*time.Millisecond, cc.forceCloseConn) defer t.Stop() - return cc.tconn.Close() + cc.tconn.Close() } // A tls.Conn.Close can hang for a long time if the peer is unresponsive. @@ -990,7 +1001,8 @@ func (cc *ClientConn) Shutdown(ctx context.Context) error { shutdownEnterWaitStateHook() select { case <-done: - return cc.closeConn() + cc.closeConn() + return nil case <-ctx.Done(): cc.mu.Lock() // Free the goroutine above @@ -1027,7 +1039,7 @@ func (cc *ClientConn) sendGoAway() error { // closes the client connection immediately. In-flight requests are interrupted. // err is sent to streams. -func (cc *ClientConn) closeForError(err error) error { +func (cc *ClientConn) closeForError(err error) { cc.mu.Lock() cc.closed = true for _, cs := range cc.streams { @@ -1035,7 +1047,7 @@ func (cc *ClientConn) closeForError(err error) error { } cc.cond.Broadcast() cc.mu.Unlock() - return cc.closeConn() + cc.closeConn() } // Close closes the client connection immediately. @@ -1043,16 +1055,17 @@ func (cc *ClientConn) closeForError(err error) error { // In-flight requests are interrupted. For a graceful shutdown, use Shutdown instead. func (cc *ClientConn) Close() error { err := errors.New("http2: client connection force closed via ClientConn.Close") - return cc.closeForError(err) + cc.closeForError(err) + return nil } // closes the client connection immediately. In-flight requests are interrupted. -func (cc *ClientConn) closeForLostPing() error { +func (cc *ClientConn) closeForLostPing() { err := errors.New("http2: client connection lost") if f := cc.t.CountError; f != nil { f("conn_close_lost_ping") } - return cc.closeForError(err) + cc.closeForError(err) } // errRequestCanceled is a copy of net/http's errRequestCanceled because it's not @@ -1430,11 +1443,19 @@ func (cs *clientStream) cleanupWriteRequest(err error) { // and in multiple cases: server replies <=299 and >299 // while still writing request body cc.mu.Lock() + mustCloseBody := false + if cs.reqBody != nil && cs.reqBodyClosed == nil { + mustCloseBody = true + cs.reqBodyClosed = make(chan struct{}) + } bodyClosed := cs.reqBodyClosed - cs.reqBodyClosed = true cc.mu.Unlock() - if !bodyClosed && cs.reqBody != nil { + if mustCloseBody { cs.reqBody.Close() + close(bodyClosed) + } + if bodyClosed != nil { + <-bodyClosed } if err != nil && cs.sentEndStream { @@ -1614,7 +1635,7 @@ func (cs *clientStream) writeRequestBody(req *http.Request) (err error) { } if err != nil { cc.mu.Lock() - bodyClosed := cs.reqBodyClosed + bodyClosed := cs.reqBodyClosed != nil cc.mu.Unlock() switch { case bodyClosed: @@ -1709,7 +1730,7 @@ func (cs *clientStream) awaitFlowControl(maxBytes int) (taken int32, err error) if cc.closed { return 0, errClientConnClosed } - if cs.reqBodyClosed { + if cs.reqBodyClosed != nil { return 0, errStopReqBodyWrite } select { @@ -2005,7 +2026,7 @@ func (cc *ClientConn) forgetStreamID(id uint32) { // wake up RoundTrip if there is a pending request. cc.cond.Broadcast() - closeOnIdle := cc.singleUse || cc.doNotReuse || cc.t.disableKeepAlives() + closeOnIdle := cc.singleUse || cc.doNotReuse || cc.t.disableKeepAlives() || cc.goAway != nil if closeOnIdle && cc.streamsReserved == 0 && len(cc.streams) == 0 { if VerboseLogs { cc.vlogf("http2: Transport closing idle conn %p (forSingleUse=%v, maxStream=%v)", cc, cc.singleUse, cc.nextStreamID-2) @@ -2081,6 +2102,7 @@ func (rl *clientConnReadLoop) cleanup() { err = io.ErrUnexpectedEOF } cc.closed = true + for _, cs := range cc.streams { select { case <-cs.peerClosed: @@ -2674,7 +2696,6 @@ func (rl *clientConnReadLoop) processGoAway(f *GoAwayFrame) error { if fn := cc.t.CountError; fn != nil { fn("recv_goaway_" + f.ErrCode.stringToken()) } - } cc.setGoAway(f) return nil @@ -3028,7 +3049,7 @@ func traceGotConn(req *http.Request, cc *ClientConn, reused bool) { cc.mu.Lock() ci.WasIdle = len(cc.streams) == 0 && reused if ci.WasIdle && !cc.lastActive.IsZero() { - ci.IdleTime = time.Now().Sub(cc.lastActive) + ci.IdleTime = time.Since(cc.lastActive) } cc.mu.Unlock() diff --git a/vendor/golang.org/x/net/internal/socket/mmsghdr_unix.go b/vendor/golang.org/x/net/internal/socket/mmsghdr_unix.go @@ -172,7 +172,23 @@ type mmsgTmpsPool struct { } func (p *mmsgTmpsPool) Get() *mmsgTmps { - return p.p.Get().(*mmsgTmps) + m := p.p.Get().(*mmsgTmps) + // Clear fields up to the len (not the cap) of the slice, + // assuming that the previous caller only used that many elements. + for i := range m.packer.sockaddrs { + m.packer.sockaddrs[i] = 0 + } + m.packer.sockaddrs = m.packer.sockaddrs[:0] + for i := range m.packer.vs { + m.packer.vs[i] = iovec{} + } + m.packer.vs = m.packer.vs[:0] + for i := range m.packer.hs { + m.packer.hs[i].Len = 0 + m.packer.hs[i].Hdr = msghdr{} + } + m.packer.hs = m.packer.hs[:0] + return m } func (p *mmsgTmpsPool) Put(tmps *mmsgTmps) { diff --git a/vendor/golang.org/x/net/internal/socket/msghdr_linux.go b/vendor/golang.org/x/net/internal/socket/msghdr_linux.go @@ -17,9 +17,6 @@ func (h *msghdr) pack(vs []iovec, bs [][]byte, oob []byte, sa []byte) { if sa != nil { h.Name = (*byte)(unsafe.Pointer(&sa[0])) h.Namelen = uint32(len(sa)) - } else { - h.Name = nil - h.Namelen = 0 } } diff --git a/vendor/modules.txt b/vendor/modules.txt @@ -263,7 +263,7 @@ github.com/magiconair/properties # github.com/mattn/go-isatty v0.0.16 ## explicit; go 1.15 github.com/mattn/go-isatty -# github.com/microcosm-cc/bluemonday v1.0.20 +# github.com/microcosm-cc/bluemonday v1.0.21 ## explicit; go 1.19 github.com/microcosm-cc/bluemonday github.com/microcosm-cc/bluemonday/css @@ -655,7 +655,7 @@ golang.org/x/image/tiff/lzw # golang.org/x/mod v0.6.0-dev.0.20220907135952-02c991387e35 ## explicit; go 1.17 golang.org/x/mod/semver -# golang.org/x/net v0.0.0-20220909164309-bea034e7d591 +# golang.org/x/net v0.0.0-20221002022538-bcab6841153b ## explicit; go 1.17 golang.org/x/net/bpf golang.org/x/net/context