Merge branch 'release-branch.go1.26' of https://go.googlesource.com/go into bradfitz/1_26_bump

Go 1.26.1

Author: bradfitz

VERSION

@@ -1,2 +1,2 @@
-go1.26.0
-time 2026-02-10T01:22:00Z
+go1.26.1
+time 2026-03-05T20:45:11Z

doc/godebug.md

@@ -155,6 +155,11 @@ and the [go command documentation](/cmd/go#hdr-Build_and_test_caching).
 
 ### Go 1.26
 
+Go 1.26.1 added a new `htmlmetacontenturlescape` setting that controls whether
+html/template will escape URLs in the `url=` portion of the content attribute of
+HTML meta tags. The default `htmlmetacontentescape=1` will cause URLs to be
+escaped. Setting `htmlmetacontentescape=0` disables this behavior.
+
 Go 1.26 added a new `httpcookiemaxnum` setting that controls the maximum number
 of cookies that net/http will accept when parsing HTTP headers. If the number of
 cookie in a header exceeds the number set in `httpcookiemaxnum`, cookie parsing

src/crypto/x509/constraints.go

@@ -58,11 +58,11 @@ import (
 // of nameConstraintsSet, to handle constraints which define full email
 // addresses (i.e. 'test@example.com'). For bare domain constraints, we use the
 // dnsConstraints type described above, querying the domain portion of the email
-// address. For full email addresses, we also hold a map of email addresses that
-// map the local portion of the email to the domain. When querying full email
-// addresses we then check if the local portion of the email is present in the
-// map, and if so case insensitively compare the domain portion of the
-// email.
+// address. For full email addresses, we also hold a map of email addresses with
+// the domain portion of the email lowercased, since it is case insensitive. When
+// looking up an email address in the constraint set, we first check the full
+// email address map, and if we don't find anything, we check the domain portion
+// of the email address against the dnsConstraints.
 
 type nameConstraintsSet[T *net.IPNet | string, V net.IP | string] struct {
 	set []T
@@ -375,7 +375,7 @@ func (dnc *dnsConstraints) query(s string) (string, bool) {
 		return constraint, true
 	}
 
-	if !dnc.permitted && s[0] == '*' {
+	if !dnc.permitted && len(s) > 0 && s[0] == '*' {
 		trimmed := trimFirstLabel(s)
 		if constraint, found := dnc.parentConstraints[trimmed]; found {
 			return constraint, true
@@ -387,16 +387,22 @@ func (dnc *dnsConstraints) query(s string) (string, bool) {
 type emailConstraints struct {
 	dnsConstraints interface{ query(string) (string, bool) }
 
-	fullEmails map[string]string
+	// fullEmails is map of rfc2821Mailboxs that are fully specified in the
+	// constraints, which we need to check for separately since they don't
+	// follow the same matching rules as the domain-based constraints. The
+	// domain portion of the rfc2821Mailbox has been lowercased, since the
+	// domain portion is case insensitive. When checking the map for an email,
+	// the domain portion of the query should also be lowercased.
+	fullEmails map[rfc2821Mailbox]struct{}
 }
 
 func newEmailConstraints(l []string, permitted bool) interface {
-	query(parsedEmail) (string, bool)
+	query(rfc2821Mailbox) (string, bool)
 } {
 	if len(l) == 0 {
 		return nil
 	}
-	exactMap := map[string]string{}
+	exactMap := map[rfc2821Mailbox]struct{}{}
 	var domains []string
 	for _, c := range l {
 		if !strings.ContainsRune(c, '@') {
@@ -411,7 +417,8 @@ func newEmailConstraints(l []string, permitted bool) interface {
 			// certificate since parsing.
 			continue
 		}
-		exactMap[parsed.local] = parsed.domain
+		parsed.domain = strings.ToLower(parsed.domain)
+		exactMap[parsed] = struct{}{}
 	}
 	ec := &emailConstraints{
 		fullEmails: exactMap,
@@ -422,16 +429,16 @@ func newEmailConstraints(l []string, permitted bool) interface {
 	return ec
 }
 
-func (ec *emailConstraints) query(s parsedEmail) (string, bool) {
-	if len(ec.fullEmails) > 0 && strings.ContainsRune(s.email, '@') {
-		if domain, ok := ec.fullEmails[s.mailbox.local]; ok && strings.EqualFold(domain, s.mailbox.domain) {
-			return ec.fullEmails[s.email] + "@" + s.mailbox.domain, true
+func (ec *emailConstraints) query(s rfc2821Mailbox) (string, bool) {
+	if len(ec.fullEmails) > 0 {
+		if _, ok := ec.fullEmails[s]; ok {
+			return fmt.Sprintf("%s@%s", s.local, s.domain), true
 		}
 	}
 	if ec.dnsConstraints == nil {
 		return "", false
 	}
-	constraint, found := ec.dnsConstraints.query(s.mailbox.domain)
+	constraint, found := ec.dnsConstraints.query(s.domain)
 	return constraint, found
 }
 
@@ -441,7 +448,7 @@ type constraints[T any, V any] struct {
 	excluded       interface{ query(V) (T, bool) }
 }
 
-func checkConstraints[T string | *net.IPNet, V any, P string | net.IP | parsedURI | parsedEmail](c constraints[T, V], s V, p P) error {
+func checkConstraints[T string | *net.IPNet, V any, P string | net.IP | parsedURI | rfc2821Mailbox](c constraints[T, V], s V, p P) error {
 	if c.permitted != nil {
 		if _, found := c.permitted.query(s); !found {
 			return fmt.Errorf("%s %q is not permitted by any constraint", c.constraintType, p)
@@ -459,13 +466,13 @@ type chainConstraints struct {
 	ip    constraints[*net.IPNet, net.IP]
 	dns   constraints[string, string]
 	uri   constraints[string, string]
-	email constraints[string, parsedEmail]
+	email constraints[string, rfc2821Mailbox]
 
 	index int
 	next  *chainConstraints
 }
 
-func (cc *chainConstraints) check(dns []string, uris []parsedURI, emails []parsedEmail, ips []net.IP) error {
+func (cc *chainConstraints) check(dns []string, uris []parsedURI, emails []rfc2821Mailbox, ips []net.IP) error {
 	for _, ip := range ips {
 		if err := checkConstraints(cc.ip, ip, ip); err != nil {
 			return err
@@ -488,8 +495,8 @@ func (cc *chainConstraints) check(dns []string, uris []parsedURI, emails []parse
 		}
 	}
 	for _, e := range emails {
-		if !domainNameValid(e.mailbox.domain, false) {
-			return fmt.Errorf("x509: cannot parse rfc822Name %q", e.mailbox)
+		if !domainNameValid(e.domain, false) {
+			return fmt.Errorf("x509: cannot parse rfc822Name %q", e)
 		}
 		if err := checkConstraints(cc.email, e, e); err != nil {
 			return err
@@ -509,7 +516,7 @@ func checkChainConstraints(chain []*Certificate) error {
 			ip:    constraints[*net.IPNet, net.IP]{"IP address", newIPNetConstraints(c.PermittedIPRanges), newIPNetConstraints(c.ExcludedIPRanges)},
 			dns:   constraints[string, string]{"DNS name", newDNSConstraints(c.PermittedDNSDomains, true), newDNSConstraints(c.ExcludedDNSDomains, false)},
 			uri:   constraints[string, string]{"URI", newDNSConstraints(c.PermittedURIDomains, true), newDNSConstraints(c.ExcludedURIDomains, false)},
-			email: constraints[string, parsedEmail]{"email address", newEmailConstraints(c.PermittedEmailAddresses, true), newEmailConstraints(c.ExcludedEmailAddresses, false)},
+			email: constraints[string, rfc2821Mailbox]{"email address", newEmailConstraints(c.PermittedEmailAddresses, true), newEmailConstraints(c.ExcludedEmailAddresses, false)},
 			index: i,
 		}
 		if currentConstraints == nil {
@@ -592,24 +599,15 @@ func parseURIs(uris []*url.URL) ([]parsedURI, error) {
 	return parsed, nil
 }
 
-type parsedEmail struct {
-	email   string
-	mailbox *rfc2821Mailbox
-}
-
-func (e parsedEmail) String() string {
-	return e.mailbox.local + "@" + e.mailbox.domain
-}
-
-func parseMailboxes(emails []string) ([]parsedEmail, error) {
-	parsed := make([]parsedEmail, 0, len(emails))
+func parseMailboxes(emails []string) ([]rfc2821Mailbox, error) {
+	parsed := make([]rfc2821Mailbox, 0, len(emails))
 	for _, email := range emails {
 		mailbox, ok := parseRFC2821Mailbox(email)
 		if !ok {
 			return nil, fmt.Errorf("cannot parse rfc822Name %q", email)
 		}
 		mailbox.domain = strings.ToLower(mailbox.domain)
-		parsed = append(parsed, parsedEmail{strings.ToLower(email), &mailbox})
+		parsed = append(parsed, mailbox)
 	}
 	return parsed, nil
 }

src/crypto/x509/name_constraints_test.go

@@ -1612,6 +1612,50 @@ var nameConstraintsTests = []nameConstraintsTest{
 			sans: []string{"dns:testexample.com"},
 		},
 	},
+	{
+		name: "excluded email constraint, multiple email with matching local portion",
+		roots: []constraintsSpec{
+			{
+				bad: []string{"email:a@example.com", "email:a@test.com"},
+			},
+		},
+		intermediates: [][]constraintsSpec{
+			{
+				{},
+			},
+		},
+		leaf: leafSpec{
+			sans: []string{"email:a@example.com"},
+		},
+		expectedError: "\"a@example.com\" is excluded by constraint \"a@example.com\"",
+	},
+	{
+		name: "email_case_check",
+		roots: []constraintsSpec{
+			{
+				ok: []string{"email:a@example.com"},
+			},
+		},
+		intermediates: [][]constraintsSpec{
+			{
+				{},
+			},
+		},
+		leaf: leafSpec{
+			sans: []string{"email:a@ExAmple.com"},
+		},
+	},
+	{
+		name: "excluded constraint, empty DNS san",
+		roots: []constraintsSpec{
+			{
+				bad: []string{"dns:example.com"},
+			},
+		},
+		leaf: leafSpec{
+			sans: []string{"dns:"},
+		},
+	},
 }
 
 func makeConstraintsCACert(constraints constraintsSpec, name string, key *ecdsa.PrivateKey, parent *Certificate, parentKey *ecdsa.PrivateKey) (*Certificate, error) {

src/crypto/x509/verify.go

@@ -253,6 +253,10 @@ type rfc2821Mailbox struct {
 	local, domain string
 }
 
+func (s rfc2821Mailbox) String() string {
+	return fmt.Sprintf("%s@%s", s.local, s.domain)
+}
+
 // parseRFC2821Mailbox parses an email address into local and domain parts,
 // based on the ABNF for a “Mailbox” from RFC 2821. According to RFC 5280,
 // Section 4.2.1.6 that's correct for an rfc822Name from a certificate: “The

src/html/template/attr_string.go

@@ -156,6 +156,10 @@ const (
 	// stateError is an infectious error state outside any valid
 	// HTML/CSS/JS construct.
 	stateError
+	// stateMetaContent occurs inside a HTML meta element content attribute.
+	stateMetaContent
+	// stateMetaContentURL occurs inside a "url=" tag in a HTML meta element content attribute.
+	stateMetaContentURL
 	// stateDead marks unreachable code after a {{break}} or {{continue}}.
 	stateDead
 )
@@ -267,6 +271,8 @@ const (
 	elementTextarea
 	// elementTitle corresponds to the RCDATA <title> element.
 	elementTitle
+	// elementMeta corresponds to the HTML <meta> element.
+	elementMeta
 )
 
 //go:generate stringer -type attr
@@ -288,4 +294,6 @@ const (
 	attrURL
 	// attrSrcset corresponds to a srcset attribute.
 	attrSrcset
+	// attrMetaContent corresponds to the content attribute in meta HTML element.
+	attrMetaContent
 )

src/html/template/context.go

@@ -166,6 +166,8 @@ func (e *escaper) escape(c context, n parse.Node) context {
 
 var debugAllowActionJSTmpl = godebug.New("jstmpllitinterp")
 
+var htmlmetacontenturlescape = godebug.New("htmlmetacontenturlescape")
+
 // escapeAction escapes an action template node.
 func (e *escaper) escapeAction(c context, n *parse.ActionNode) context {
 	if len(n.Pipe.Decl) != 0 {
@@ -223,6 +225,18 @@ func (e *escaper) escapeAction(c context, n *parse.ActionNode) context {
 		default:
 			panic(c.urlPart.String())
 		}
+	case stateMetaContent:
+		// Handled below in delim check.
+	case stateMetaContentURL:
+		if htmlmetacontenturlescape.Value() != "0" {
+			s = append(s, "_html_template_urlfilter")
+		} else {
+			// We don't have a great place to increment this, since it's hard to
+			// know if we actually escape any urls in _html_template_urlfilter,
+			// since it has no information about what context it is being
+			// executed in etc. This is probably the best we can do.
+			htmlmetacontenturlescape.IncNonDefault()
+		}
 	case stateJS:
 		s = append(s, "_html_template_jsvalescaper")
 		// A slash after a value starts a div operator.

src/html/template/element_string.go

@@ -734,6 +734,16 @@ func TestEscape(t *testing.T) {
 			"<script>var a = `${ var a = \"{{\"a \\\" d\"}}\" }`</script>",
 			"<script>var a = `${ var a = \"a \\u0022 d\" }`</script>",
 		},
+		{
+			"meta content attribute url",
+			`<meta http-equiv="refresh" content="asd; url={{"javascript:alert(1)"}}; asd; url={{"vbscript:alert(1)"}}; asd">`,
+			`<meta http-equiv="refresh" content="asd; url=#ZgotmplZ; asd; url=#ZgotmplZ; asd">`,
+		},
+		{
+			"meta content string",
+			`<meta http-equiv="refresh" content="{{"asd: 123"}}">`,
+			`<meta http-equiv="refresh" content="asd: 123">`,
+		},
 	}
 
 	for _, test := range tests {
@@ -1016,6 +1026,14 @@ func TestErrors(t *testing.T) {
 			"<script>var tmpl = `asd ${return \"{\"}`;</script>",
 			``,
 		},
+		{
+			`{{if eq "" ""}}<meta>{{end}}`,
+			``,
+		},
+		{
+			`{{if eq "" ""}}<meta content="url={{"asd"}}">{{end}}`,
+			``,
+		},
 
 		// Error cases.
 		{
@@ -2198,3 +2216,19 @@ func TestAliasedParseTreeDoesNotOverescape(t *testing.T) {
 		t.Fatalf(`Template "foo" and "bar" rendered %q and %q respectively, expected equal values`, got1, got2)
 	}
 }
+
+func TestMetaContentEscapeGODEBUG(t *testing.T) {
+	savedGODEBUG := os.Getenv("GODEBUG")
+	os.Setenv("GODEBUG", savedGODEBUG+",htmlmetacontenturlescape=0")
+	defer func() { os.Setenv("GODEBUG", savedGODEBUG) }()
+
+	tmpl := Must(New("").Parse(`<meta http-equiv="refresh" content="asd; url={{"javascript:alert(1)"}}; asd; url={{"vbscript:alert(1)"}}; asd">`))
+	var b strings.Builder
+	if err := tmpl.Execute(&b, nil); err != nil {
+		t.Fatalf("unexpected error: %s", err)
+	}
+	want := `<meta http-equiv="refresh" content="asd; url=javascript:alert(1); asd; url=vbscript:alert(1); asd">`
+	if got := b.String(); got != want {
+		t.Fatalf("got %q, want %q", got, want)
+	}
+}