net/url: URL allows malformed query round trip [1.10 backport] #29922
Comments
gopherbot
added
the
CherryPickCandidate
FiloSottile
added
CherryPickApproved
|
I will make a cherry-pick CL for this. I am using this as an opportunity to verify an answer I am planning to provide to this question. |
|
Change https://golang.org/cl/159478 mentions this issue: |
|
@bradfitz In CL 159478, you said:
Should this issue lose its CherryPickApproved label and/or be closed? Or are you going to re-use it to backport that different fix (as mentioned in #29923 (comment))? In any case, leaving to you. |
|
This should stay open until we backport something. |
|
Change https://golang.org/cl/160678 mentions this issue: |
|
Closed by merging d4cf10b to release-branch.go1.10. |
…in URLs Cherry pick of combined CL 159157 + CL 160178. Fixes #29922 Updates #27302 Updates #22907 Change-Id: I6de92c14284595a58321a4b4d53229285979b872 Reviewed-on: https://go-review.googlesource.com/c/160678 Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Ian Lance Taylor <iant@golang.org>
|
is there a target 1.10.x release for d4cf10b? |
|
Go 1.10 is no longer maintained once Go 1.12 was released. We only support the past two released versions of Go. |
|
Understood. I thought merging the security fix to the release branch implied a release would be cut. Unreleased security fixes sitting in the branch are unfortunate. |
|
given this was deemed worthy of backport, and was backported on 2019-02-01 (prior to 1.12 being released on 2019-02-25), would it have been worthwhile to cut a 1.10.x release rolling up unreleased changes prior to dropping support because of 1.12? |
|
Its importance has been questioned elsewhere. It's not a huge security issue. It's borderline. |
@FiloSottile requested issue #22907 to be considered for backport to the next 1.10 minor release.
The text was updated successfully, but these errors were encountered: