!320 fix failure of net/http unit test and fix CVE-2024-24784

From: @hcnbxx Reviewed-by: @jing-rui Signed-off-by: @jing-rui
2024-03-28 08:37:06 +00:00 · 2024-03-28 08:37:06 +00:00 · 9d09ecc926
commit 9d09ecc926
parent 7619d4c97d f4c9675d23
5 changed files with 415 additions and 35 deletions
--- a/0114-release-branch.go1.21-html-template-escape-additiona.patch
+++ b/0114-release-branch.go1.21-html-template-escape-additiona.patch
@ -1,13 +1,22 @@
-From 6bf8cd883445c302836728eac62926bf14aa6c2b Mon Sep 17 00:00:00 2001
+From e7b9308c2106900310bbaeef1ddd948e845054e1 Mon Sep 17 00:00:00 2001
 From: Roland Shoemaker <roland@golang.org>
-Date: Wed, 14 Feb 2024 17:18:36 -0800
-Subject: [PATCH 2/4] [release-branch.go1.21] html/template: escape additional
- tokens in MarshalJSON errors
+Date: Thu, 15 Feb 2024 09:18:36 +0800
+Subject: [PATCH 4/4] [Backport] html/template: escape additional tokens in
+ MarshalJSON errors
+
+Offering: Cloud Core Network
+CVE: CVE-2024-24785
+Reference: https://go-review.googlesource.com/c/go/+/567515

 Escape "</script" and "<!--" in errors returned from MarshalJSON errors
 when attempting to marshal types in script blocks. This prevents any
 user controlled content from prematurely terminating the script block.

+Note: The upstream does not submit this change to go1.16 according to the rules of MinorReleases.
+Corego2.x are based on go1.16.5. Therefore, it need to submit the change to corego2.x.
+
+Edited-by: machangwang m00509938
+
 Updates #65697
 Fixes #65968

@ -18,13 +27,14 @@ Reviewed-by: Damien Neil <dneil@google.com>
 (cherry picked from commit ccbc725f2d678255df1bd326fa511a492aa3a0aa)
 Reviewed-on: https://go-review.googlesource.com/c/go/+/567515
 Reviewed-by: Carlos Amedee <carlos@golang.org>
+Signed-off-by: Ma Chang Wang machangwang@huawei.com
 ---
 src/html/template/js.go      | 22 ++++++++-
 src/html/template/js_test.go | 96 ++++++++++++++++++++----------------
 2 files changed, 74 insertions(+), 44 deletions(-)

 diff --git a/src/html/template/js.go b/src/html/template/js.go
-index 35994f076eb..4d3b25d088c 100644
+index 35994f076e..4d3b25d088 100644
 --- a/src/html/template/js.go
 +++ b/src/html/template/js.go
@@ -171,13 +171,31 @@ func jsValEscaper(args ...interface{}) string {
@ -62,7 +72,7 @@ index 35994f076eb..4d3b25d088c 100644
 
 	// TODO: maybe post-process output to prevent it from containing
 diff --git a/src/html/template/js_test.go b/src/html/template/js_test.go
-index de9ef284106..0ad7b49d646 100644
+index de9ef28410..26d6dcd92c 100644
 --- a/src/html/template/js_test.go
 +++ b/src/html/template/js_test.go
@@ -6,6 +6,7 @@ package template
@ -87,7 +97,7 @@ index de9ef284106..0ad7b49d646 100644
 	tests := []struct {
 -		x  interface{}
 -		js string
-+		x        any
+		x        interface{}
 +		js       string
 +		skipNest bool
 	}{
@ -165,8 +175,8 @@ index de9ef284106..0ad7b49d646 100644
 -		{nil, " null "},
 +		{"\t\x0b", `"\t\u000b"`, false},
 +		{struct{ X, Y int }{1, 2}, `{"X":1,"Y":2}`, false},
-+		{[]any{}, "[]", false},
-+		{[]any{42, "foo", nil}, `[42,"foo",null]`, false},
+		{[]interface{}{}, "[]", false},
+		{[]interface{}{42, "foo", nil}, `[42,"foo",null]`, false},
 +		{[]string{"<!--", "</script>", "-->"}, `["\u003c!--","\u003c/script\u003e","--\u003e"]`, false},
 +		{"<!--", `"\u003c!--"`, false},
 +		{"-->", `"--\u003e"`, false},
--- a/0115-net-textproto-mime-multipart-avoid-unbounded-read-in.patch
+++ b/0115-net-textproto-mime-multipart-avoid-unbounded-read-in.patch
@ -1,8 +1,12 @@
-From 7d40949db8a4b2d5cd294dc76b80f2a0c1c47db0 Mon Sep 17 00:00:00 2001
+From ad350209f937e05451e46bf55ca8a13f4b24e58e Mon Sep 17 00:00:00 2001
 From: Damien Neil <dneil@google.com>
 Date: Tue, 16 Jan 2024 15:37:52 -0800
-Subject: [PATCH 3/4] net/textproto, mime/multipart: avoid unbounded read in
- MIME header
+Subject: [PATCH 1/4] [Backport] net/textproto, mime/multipart: avoid unbounded
+ read in MIME header
+
+Offering: Cloud Core Network
+CVE: CVE-2023-45290
+Reference: https://go-review.googlesource.com/c/go/+/569341

 mime/multipart.Reader.ReadForm allows specifying the maximum amount
 of memory that will be consumed by the form. While this limit is
@ -15,6 +19,11 @@ runs out of memory.

 Limit the amount of data consumed when reading a header.

+Note: The upstream does not submit this change to go1.16 according to the rules of MinorReleases.
+Corego2.x are based on go1.16.5. Therefore, it need to submit the change to corego2.x.
+
+Edited-by: zhaoshengwei z00581105
+
 Fixes CVE-2023-45290
 Fixes #65383

@ -27,6 +36,7 @@ Reviewed-by: Carlos Amedee <carlos@golang.org>
 Reviewed-by: Damien Neil <dneil@google.com>
 Auto-Submit: Michael Knyszek <mknyszek@google.com>
 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+Signed-off-by: Zhao Sheng Wei zhaoshengwei@huawei.com
 ---
 src/mime/multipart/formdata_test.go | 42 +++++++++++++++++++++++++
 src/net/textproto/reader.go         | 48 ++++++++++++++++++++---------
@ -34,7 +44,7 @@ LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceacc
 3 files changed, 87 insertions(+), 15 deletions(-)

 diff --git a/src/mime/multipart/formdata_test.go b/src/mime/multipart/formdata_test.go
-index 24de7b89563..1eb301be641 100644
+index 24de7b8956..1eb301be64 100644
 --- a/src/mime/multipart/formdata_test.go
 +++ b/src/mime/multipart/formdata_test.go
@@ -407,6 +407,48 @@ func TestReadFormLimits(t *testing.T) {
@ -87,7 +97,7 @@ index 24de7b89563..1eb301be641 100644
 	for _, test := range []struct {
 		name string
 diff --git a/src/net/textproto/reader.go b/src/net/textproto/reader.go
-index d80f378801d..b377a7ce5d9 100644
+index d80f378801..b377a7ce5d 100644
 --- a/src/net/textproto/reader.go
 +++ b/src/net/textproto/reader.go
@@ -17,6 +17,10 @@ import (
@ -238,7 +248,7 @@ index d80f378801d..b377a7ce5d9 100644
 		if vv == nil && len(strs) > 0 {
 			// More than likely this will be a single-element key.
 diff --git a/src/net/textproto/reader_test.go b/src/net/textproto/reader_test.go
-index 3ae0de13530..db1ed91bd51 100644
+index 3ae0de1353..db1ed91bd5 100644
 --- a/src/net/textproto/reader_test.go
 +++ b/src/net/textproto/reader_test.go
@@ -34,6 +34,18 @@ func TestReadLine(t *testing.T) {
--- a/0116-release-branch.go1.21-net-http-net-http-cookiejar-av.patch
+++ b/0116-release-branch.go1.21-net-http-net-http-cookiejar-av.patch
@ -1,8 +1,12 @@
-From 80b1721f76672451256fd5e1ad508d185cfd74ef Mon Sep 17 00:00:00 2001
-From: Damien Neil <dneil@google.com>
-Date: Thu, 11 Jan 2024 11:31:57 -0800
-Subject: [PATCH 4/4] [release-branch.go1.21] net/http, net/http/cookiejar:
- avoid subdomain matches on IPv6 zones
+From eccb945d92ba5e7f88c6f4f0e810862588ebd688 Mon Sep 17 00:00:00 2001
+From: Gustavo Falco <comfortablynumb84@gmail.com>
+Date: Sun, 11 Dec 2022 02:39:20 +0000
+Subject: [PATCH 2/4] [Backport] net/http, net/http/cookiejar: avoid subdomain
+ matches on IPv6 zones
+
+Offering: Cloud Core Network
+CVE: CVE-2023-45289
+Reference: https://go-review.googlesource.com/c/go/+/569340

 When deciding whether to forward cookies or sensitive headers
 across a redirect, do not attempt to interpret an IPv6 address
@ -16,31 +20,71 @@ of "www.example.com".

 Thanks to Juho Nurminen of Mattermost for reporting this issue.

+Note: The upstream does not submit this change to go1.16 according to the rules of MinorReleases.
+Corego2.x are based on go1.16.5. Therefore, it need to submit the change to corego2.x.
+
+Edited-by: zhaoshengwei z00581105
+
 Fixes CVE-2023-45289
-Fixes #65385
-For #65065
+Fixes #65065

 Change-Id: I8f463f59f0e700c8a18733d2b264a8bcb3a19599
 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2131938
 Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
 Reviewed-by: Roland Shoemaker <bracewell@google.com>
-Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2173775
-Reviewed-by: Carlos Amedee <amedee@google.com>
-Reviewed-on: https://go-review.googlesource.com/c/go/+/569239
+Reviewed-on: https://go-review.googlesource.com/c/go/+/569340
+Reviewed-by: Damien Neil <dneil@google.com>
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
 Reviewed-by: Carlos Amedee <carlos@golang.org>
 Auto-Submit: Michael Knyszek <mknyszek@google.com>
-TryBot-Bypass: Michael Knyszek <mknyszek@google.com>
+Signed-off-by: Zhao Sheng Wei zhaoshengwei@huawei.com
+
+[Backport] net/http: keep sensitive headers on redirects to the same host
+
+Offering: Cloud Core Network
+Reference: https://go-review.googlesource.com/c/go/+/424935
+
+Preserve sensitive headers on a redirect to a different port of the same host.
+
+Note: The upstream does not submit this change to go1.16 according to the rules of MinorReleases.
+Corego2.x are based on go1.16.5. Therefore, it need to submit the change to corego2.x.
+
+Edited-by: zhaoshengwei z00581105
+
+Fixes #35104
+
+Change-Id: I5ab57c414ce92a70e688ee684b9ff02fb062b3c6
+GitHub-Last-Rev: 8d53e71e2243c141d70d27a503d0f7e6dee64c3c
+GitHub-Pull-Request: golang/go#54539
+Reviewed-on: https://go-review.googlesource.com/c/go/+/424935
+TryBot-Result: Gopher Robot <gobot@golang.org>
+Reviewed-by: Cherry Mui <cherryyz@google.com>
+Reviewed-by: Damien Neil <dneil@google.com>
+Run-TryBot: Damien Neil <dneil@google.com>
+Signed-off-by: Zhao Sheng Wei zhaoshengwei@huawei.com
 ---
- src/net/http/client.go             |  6 ++++++
- src/net/http/client_test.go        |  1 +
+ src/net/http/client.go             | 10 ++++++++--
+ src/net/http/client_test.go        | 30 +++++++++++++++++++++++++-----
 src/net/http/cookiejar/jar.go      |  7 +++++++
 src/net/http/cookiejar/jar_test.go | 10 ++++++++++
- 4 files changed, 24 insertions(+)
+ src/net/http/transport.go          | 10 +++++++---
+ 5 files changed, 57 insertions(+), 10 deletions(-)

 diff --git a/src/net/http/client.go b/src/net/http/client.go
-index 3860d97d8f4..54866fe5d6c 100644
+index 3860d97d8f..5f24bfce7a 100644
 --- a/src/net/http/client.go
 +++ b/src/net/http/client.go
+@@ -976,8 +976,8 @@ func shouldCopyHeaderOnRedirect(headerKey string, initial, dest *url.URL) bool {
+ 		// directly, we don't know their scope, so we assume
+ 		// it's for *.domain.com.
+ 
+-		ihost := canonicalAddr(initial)
+-		dhost := canonicalAddr(dest)
+		ihost := idnaASCIIFromURL(initial)
+		dhost := idnaASCIIFromURL(dest)
+ 		return isDomainOrSubdomain(dhost, ihost)
+ 	}
+ 	// All other headers are copied:
@@ -992,6 +992,12 @@ func isDomainOrSubdomain(sub, parent string) bool {
 	if sub == parent {
 		return true
@ -55,19 +99,79 @@ index 3860d97d8f4..54866fe5d6c 100644
 	// that means sub must end in "."+parent.
 	// Do it without allocating.
 diff --git a/src/net/http/client_test.go b/src/net/http/client_test.go
-index 80807fae7a4..b4698eee082 100644
+index 80807fae7a..ce476d1a34 100644
 --- a/src/net/http/client_test.go
 +++ b/src/net/http/client_test.go
-@@ -1703,6 +1703,7 @@ func TestShouldCopyHeaderOnRedirect(t *testing.T) {
+@@ -1466,6 +1466,9 @@ func TestClientRedirectResponseWithoutRequest(t *testing.T) {
+ }
+ 
+ // Issue 4800: copy (some) headers when Client follows a redirect.
+// Issue 35104: Since both URLs have the same host (localhost)
+// but different ports, sensitive headers like Cookie and Authorization
+// are preserved.
+ func TestClientCopyHeadersOnRedirect(t *testing.T) {
+ 	const (
+ 		ua   = "some-agent/1.2"
+@@ -1478,6 +1481,8 @@ func TestClientCopyHeadersOnRedirect(t *testing.T) {
+ 			"X-Foo":           []string{xfoo},
+ 			"Referer":         []string{ts2URL},
+ 			"Accept-Encoding": []string{"gzip"},
+			"Cookie":          []string{"foo=bar"},
+			"Authorization":   []string{"secretpassword"},
+ 		}
+ 		if !reflect.DeepEqual(r.Header, want) {
+ 			t.Errorf("Request.Header = %#v; want %#v", r.Header, want)
+@@ -1498,9 +1503,11 @@ func TestClientCopyHeadersOnRedirect(t *testing.T) {
+ 	c := ts1.Client()
+ 	c.CheckRedirect = func(r *Request, via []*Request) error {
+ 		want := Header{
+-			"User-Agent": []string{ua},
+-			"X-Foo":      []string{xfoo},
+-			"Referer":    []string{ts2URL},
+			"User-Agent":    []string{ua},
+			"X-Foo":         []string{xfoo},
+			"Referer":       []string{ts2URL},
+			"Cookie":        []string{"foo=bar"},
+			"Authorization": []string{"secretpassword"},
+ 		}
+ 		if !reflect.DeepEqual(r.Header, want) {
+ 			t.Errorf("CheckRedirect Request.Header = %#v; want %#v", r.Header, want)
+@@ -1702,18 +1709,31 @@ func TestShouldCopyHeaderOnRedirect(t *testing.T) {
+ 		{"cookie", "http://foo.com/", "http://bar.com/", false},
 		{"cookie2", "http://foo.com/", "http://bar.com/", false},
 		{"authorization", "http://foo.com/", "http://bar.com/", false},
+		{"authorization", "http://foo.com/", "https://foo.com/", true},
+		{"authorization", "http://foo.com:1234/", "http://foo.com:4321/", true},
 		{"www-authenticate", "http://foo.com/", "http://bar.com/", false},
 +		{"authorization", "http://foo.com/", "http://[::1%25.foo.com]/", false},
 
 		// But subdomains should work:
 		{"www-authenticate", "http://foo.com/", "http://foo.com/", true},
+ 		{"www-authenticate", "http://foo.com/", "http://sub.foo.com/", true},
+ 		{"www-authenticate", "http://foo.com/", "http://notfoo.com/", false},
+-		{"www-authenticate", "http://foo.com/", "https://foo.com/", false},
+		{"www-authenticate", "http://foo.com/", "https://foo.com/", true},
+ 		{"www-authenticate", "http://foo.com:80/", "http://foo.com/", true},
+ 		{"www-authenticate", "http://foo.com:80/", "http://sub.foo.com/", true},
+ 		{"www-authenticate", "http://foo.com:443/", "https://foo.com/", true},
+ 		{"www-authenticate", "http://foo.com:443/", "https://sub.foo.com/", true},
+-		{"www-authenticate", "http://foo.com:1234/", "http://foo.com/", false},
+		{"www-authenticate", "http://foo.com:1234/", "http://foo.com/", true},
+
+		{"authorization", "http://foo.com/", "http://foo.com/", true},
+		{"authorization", "http://foo.com/", "http://sub.foo.com/", true},
+		{"authorization", "http://foo.com/", "http://notfoo.com/", false},
+		{"authorization", "http://foo.com/", "https://foo.com/", true},
+		{"authorization", "http://foo.com:80/", "http://foo.com/", true},
+		{"authorization", "http://foo.com:80/", "http://sub.foo.com/", true},
+		{"authorization", "http://foo.com:443/", "https://foo.com/", true},
+		{"authorization", "http://foo.com:443/", "https://sub.foo.com/", true},
+		{"authorization", "http://foo.com:1234/", "http://foo.com/", true},
+ 	}
+ 	for i, tt := range tests {
+ 		u0, err := url.Parse(tt.initialURL)
 diff --git a/src/net/http/cookiejar/jar.go b/src/net/http/cookiejar/jar.go
-index 9f199170847..18cbfc272d7 100644
+index 9f19917084..18cbfc272d 100644
 --- a/src/net/http/cookiejar/jar.go
 +++ b/src/net/http/cookiejar/jar.go
@@ -356,6 +356,13 @@ func jarKey(host string, psl PublicSuffixList) string {
@ -85,7 +189,7 @@ index 9f199170847..18cbfc272d7 100644
 }
 
 diff --git a/src/net/http/cookiejar/jar_test.go b/src/net/http/cookiejar/jar_test.go
-index 47fb1abdaaf..fd8d40ed1b9 100644
+index 47fb1abdaa..fd8d40ed1b 100644
 --- a/src/net/http/cookiejar/jar_test.go
 +++ b/src/net/http/cookiejar/jar_test.go
@@ -251,6 +251,7 @@ var isIPTests = map[string]bool{
@ -112,6 +216,35 @@ index 47fb1abdaaf..fd8d40ed1b9 100644
 }
 
 func TestBasics(t *testing.T) {
+diff --git a/src/net/http/transport.go b/src/net/http/transport.go
+index 88d15a5919..e48026b7be 100644
+--- a/src/net/http/transport.go
+++ b/src/net/http/transport.go
+@@ -2678,17 +2678,21 @@ var portMap = map[string]string{
+ 	"socks5": "1080",
+ }
+ 
+-// canonicalAddr returns url.Host but always with a ":port" suffix
+-func canonicalAddr(url *url.URL) string {
+func idnaASCIIFromURL(url *url.URL) string {
+ 	addr := url.Hostname()
+ 	if v, err := idnaASCII(addr); err == nil {
+ 		addr = v
+ 	}
+	return addr
+}
+
+// canonicalAddr returns url.Host but always with a ":port" suffix.
+func canonicalAddr(url *url.URL) string {
+ 	port := url.Port()
+ 	if port == "" {
+ 		port = portMap[url.Scheme]
+ 	}
+-	return net.JoinHostPort(addr, port)
+	return net.JoinHostPort(idnaASCIIFromURL(url), port)
+ }
+ 
+ // bodyEOFSignal is used by the HTTP/1 transport when reading response
 -- 
 2.33.0

--- a/0117-Backport-net-mail-properly-handle-special-characters.patch
+++ b/0117-Backport-net-mail-properly-handle-special-characters.patch
@ -0,0 +1,214 @@
+From 7cb2b9f6cb44d5ce59c0c30138a20fc6c9c4eb0c Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <bracewell@google.com>
+Date: Wed, 10 Jan 2024 11:02:14 -0800
+Subject: [PATCH 3/4] [Backport] net/mail: properly handle special characters
+ in phrase and obs-phrase
+
+Offering: Cloud Core Network
+CVE: CVE-2024-24784
+Reference: https://go-review.googlesource.com/c/go/+/566195
+
+Fixes a couple of misalignments with RFC 5322 which introduce
+significant diffs between (mostly) conformant parsers.
+
+This change reverts the changes made in CL50911, which allowed certain
+special RFC 5322 characters to appear unquoted in the "phrase" syntax.
+It is unclear why this change was made in the first place, and created
+a divergence from comformant parsers. In particular this resulted in
+treating comments in display names incorrectly.
+
+Additionally properly handle trailing malformed comments in the group
+syntax.
+
+Note: The upstream does not submit this change to go1.16 according to the rules of MinorReleases.
+Corego2.x are based on go1.16.5. Therefore, it need to submit the change to corego2.x.
+
+Edited-by: machangwang m00509938
+
+For #65083
+Fixes #65848
+
+Change-Id: I00dddc044c6ae3381154e43236632604c390f672
+Reviewed-on: https://go-review.googlesource.com/c/go/+/555596
+Reviewed-by: Damien Neil <dneil@google.com>
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/566195
+Reviewed-by: Carlos Amedee <carlos@golang.org>
+Signed-off-by: Ma Chang Wang machangwang@huawei.com
+---
+ src/net/mail/message.go      | 30 +++++++++++++++------------
+ src/net/mail/message_test.go | 40 ++++++++++++++++++++++++++----------
+ 2 files changed, 46 insertions(+), 24 deletions(-)
+
+diff --git a/src/net/mail/message.go b/src/net/mail/message.go
+index 09fb794005..f1d7e2f989 100644
+--- a/src/net/mail/message.go
+++ b/src/net/mail/message.go
+@@ -217,7 +217,7 @@ func (a *Address) String() string {
+ 	// Add quotes if needed
+ 	quoteLocal := false
+ 	for i, r := range local {
+-		if isAtext(r, false, false) {
+		if isAtext(r, false) {
+ 			continue
+ 		}
+ 		if r == '.' {
+@@ -381,7 +381,7 @@ func (p *addrParser) parseAddress(handleGroup bool) ([]*Address, error) {
+ 	if !p.consume('<') {
+ 		atext := true
+ 		for _, r := range displayName {
+-			if !isAtext(r, true, false) {
+			if !isAtext(r, true) {
+ 				atext = false
+ 				break
+ 			}
+@@ -416,7 +416,9 @@ func (p *addrParser) consumeGroupList() ([]*Address, error) {
+ 	// handle empty group.
+ 	p.skipSpace()
+ 	if p.consume(';') {
+-		p.skipCFWS()
+		if !p.skipCFWS() {
+			return nil, errors.New("mail: misformatted parenthetical comment")
+		}
+ 		return group, nil
+ 	}
+ 
+@@ -433,7 +435,9 @@ func (p *addrParser) consumeGroupList() ([]*Address, error) {
+ 			return nil, errors.New("mail: misformatted parenthetical comment")
+ 		}
+ 		if p.consume(';') {
+-			p.skipCFWS()
+			if !p.skipCFWS() {
+				return nil, errors.New("mail: misformatted parenthetical comment")
+			}
+ 			break
+ 		}
+ 		if !p.consume(',') {
+@@ -503,6 +507,12 @@ func (p *addrParser) consumePhrase() (phrase string, err error) {
+ 	var words []string
+ 	var isPrevEncoded bool
+ 	for {
+		// obs-phrase allows CFWS after one word
+		if len(words) > 0 {
+			if !p.skipCFWS() {
+				return "", errors.New("mail: misformatted parenthetical comment")
+			}
+		}
+ 		// word = atom / quoted-string
+ 		var word string
+ 		p.skipSpace()
+@@ -598,7 +608,6 @@ Loop:
+ // If dot is true, consumeAtom parses an RFC 5322 dot-atom instead.
+ // If permissive is true, consumeAtom will not fail on:
+ // - leading/trailing/double dots in the atom (see golang.org/issue/4938)
+-// - special characters (RFC 5322 3.2.3) except '<', '>', ':' and '"' (see golang.org/issue/21018)
+ func (p *addrParser) consumeAtom(dot bool, permissive bool) (atom string, err error) {
+ 	i := 0
+ 
+@@ -609,7 +618,7 @@ Loop:
+ 		case size == 1 && r == utf8.RuneError:
+ 			return "", fmt.Errorf("mail: invalid utf-8 in address: %q", p.s)
+ 
+-		case size == 0 || !isAtext(r, dot, permissive):
+		case size == 0 || !isAtext(r, dot):
+ 			break Loop
+ 
+ 		default:
+@@ -763,18 +772,13 @@ func (e charsetError) Error() string {
+ 
+ // isAtext reports whether r is an RFC 5322 atext character.
+ // If dot is true, period is included.
+-// If permissive is true, RFC 5322 3.2.3 specials is included,
+-// except '<', '>', ':' and '"'.
+-func isAtext(r rune, dot, permissive bool) bool {
+func isAtext(r rune, dot bool) bool {
+ 	switch r {
+ 	case '.':
+ 		return dot
+ 
+ 	// RFC 5322 3.2.3. specials
+-	case '(', ')', '[', ']', ';', '@', '\\', ',':
+-		return permissive
+-
+-	case '<', '>', '"', ':':
+	case '(', ')', '<', '>', '[', ']', ':', ';', '@', '\\', ',', '"': // RFC 5322 3.2.3. specials
+ 		return false
+ 	}
+ 	return isVchar(r)
+diff --git a/src/net/mail/message_test.go b/src/net/mail/message_test.go
+index 67e3643aeb..eeaa86e028 100644
+--- a/src/net/mail/message_test.go
+++ b/src/net/mail/message_test.go
+@@ -296,8 +296,11 @@ func TestAddressParsingError(t *testing.T) {
+ 		13: {"group not closed: null@example.com", "expected comma"},
+ 		14: {"group: first@example.com, second@example.com;", "group with multiple addresses"},
+ 		15: {"john.doe", "missing '@' or angle-addr"},
+-		16: {"john.doe@", "no angle-addr"},
+		16: {"john.doe@", "missing '@' or angle-addr"},
+ 		17: {"John Doe@foo.bar", "no angle-addr"},
+		18: {" group: null@example.com; (asd", "misformatted parenthetical comment"},
+		19: {" group: ; (asd", "misformatted parenthetical comment"},
+		20: {`(John) Doe <jdoe@machine.example>`, "missing word in phrase:"},
+ 	}
+ 
+ 	for i, tc := range mustErrTestCases {
+@@ -336,24 +339,19 @@ func TestAddressParsing(t *testing.T) {
+ 				Address: "john.q.public@example.com",
+ 			}},
+ 		},
+-		{
+-			`"John (middle) Doe" <jdoe@machine.example>`,
+-			[]*Address{{
+-				Name:    "John (middle) Doe",
+-				Address: "jdoe@machine.example",
+-			}},
+-		},
+		// Comment in display name
+ 		{
+ 			`John (middle) Doe <jdoe@machine.example>`,
+ 			[]*Address{{
+-				Name:    "John (middle) Doe",
+				Name:    "John Doe",
+ 				Address: "jdoe@machine.example",
+ 			}},
+ 		},
+		// Display name is quoted string, so comment is not a comment
+ 		{
+-			`John !@M@! Doe <jdoe@machine.example>`,
+			`"John (middle) Doe" <jdoe@machine.example>`,
+ 			[]*Address{{
+-				Name:    "John !@M@! Doe",
+				Name:    "John (middle) Doe",
+ 				Address: "jdoe@machine.example",
+ 			}},
+ 		},
+@@ -688,6 +686,26 @@ func TestAddressParsing(t *testing.T) {
+ 				},
+ 			},
+ 		},
+		// Comment in group display name
+		{
+			`group (comment:): a@example.com, b@example.com;`,
+			[]*Address{
+				{
+					Address: "a@example.com",
+				},
+				{
+					Address: "b@example.com",
+				},
+			},
+		},
+		{
+			`x(:"):"@a.example;("@b.example;`,
+			[]*Address{
+				{
+					Address: `@a.example;(@b.example`,
+				},
+			},
+		},
+ 	}
+ 	for _, test := range tests {
+ 		if len(test.exp) == 1 {
+-- 
+2.33.0
+
--- a/golang.spec
+++ b/golang.spec
@ -58,7 +58,7 @@

 Name:           golang
 Version:        1.15.7
-Release:        39
+Release:        41
 Summary:        The Go Programming Language
 License:        BSD and Public Domain
 URL:            https://golang.org/
@ -258,6 +258,7 @@ Patch6113:	0113-release-branch.go1.21-crypto-x509-make-sure-pub-key-.patch
 Patch6114:	0114-release-branch.go1.21-html-template-escape-additiona.patch
 Patch6115:	0115-net-textproto-mime-multipart-avoid-unbounded-read-in.patch
 Patch6116:	0116-release-branch.go1.21-net-http-net-http-cookiejar-av.patch
+Patch6117:	0117-Backport-net-mail-properly-handle-special-characters.patch

 Patch9001:  0001-drop-hard-code-cert.patch
 Patch9002:  0002-fix-patch-cmd-go-internal-modfetch-do-not-sho.patch
@ -497,6 +498,18 @@ fi
 %files devel -f go-tests.list -f go-misc.list -f go-src.list

 %changelog
+* Thu Mar 28 2024 hanchao <hanchao63@huawei.com> - 1.15.7-41
+- Type:CVE
+- CVE:CVE-2024-24784
+- SUG:NA
+- DESC:fix CVE-2024-24784
+
+* Thu Mar 28 2024 hanchao <hanchao63@huawei.com> - 1.15.7-40
+- Type:bugfix
+- CVE:
+- SUG:NA
+- DESC:fix failure of net/http unit test
+
 * Fri Mar 15 2024 hanchao <hanchao63@huawei.com> - 1.15.7-39
 - Type:CVE
 - CVE:CVE-2024-24783,CVE-2024-24785,CVE-2023-45290,CVE-2023-45289