_content/doc: update release notes with backwards incompatible changes
Go 1.19.8 and Go 1.20.3 had backwards-incompatible changes. Raise their
visibility by updating the release notes for Go 1.19 and Go 1.20.
Updates #59153.
Updates #59234.
Change-Id: Icd472bd5754c3dea1a1459e364746600826889b1
Reviewed-on: https://go-review.googlesource.com/c/website/+/482240
Auto-Submit: Michael Knyszek <mknyszek@google.com>
Reviewed-by: Ian Lance Taylor <iant@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
Run-TryBot: Michael Knyszek <mknyszek@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
diff --git a/_content/doc/go1.19.html b/_content/doc/go1.19.html
index 97ab8c6..10dc733 100644
--- a/_content/doc/go1.19.html
+++ b/_content/doc/go1.19.html
@@ -639,6 +639,11 @@
instead of its own named type.
This allows writing code that operates on a <code>FuncMap</code> from either setting.
</p>
+ <p><!-- https://go.dev/issue/59153 --><!-- CL 481987 -->
+ Go 1.19.8 and later
+ <a href="/pkg/html/template#hdr-Security_Model">disallow actions in ECMAScript 6 template literals.</a>
+ This behavior can be reverted by the <code>GODEBUG=jstmpllitinterp=1</code> setting.
+ </p>
</dd>
</dl><!-- html/template -->
@@ -687,7 +692,24 @@
<a href="/pkg/mime/#AddExtensionType"><code>AddExtensionType</code></a>.
</p>
</dd>
-</dl>
+</dl><!-- mime -->
+
+<dl id="mime/multipart"><dt><a href="/pkg/mime/multipart">mime/multipart</a></dt>
+ <dd>
+ <p><!-- https://go.dev/issue/59153 --><!-- CL 481985 -->
+ In Go 1.19.8 and later, this package sets limits the size
+ of the MIME data it processes to protect against malicious inputs.
+ <code>Reader.NextPart</code> and <code>Reader.NextRawPart</code> limit the
+ number of headers in a part to 10000 and <code>Reader.ReadForm</code> limits
+ the total number of headers in all <code>FileHeaders</code> to 10000.
+ These limits may be adjusted with the <code>GODEBUG=multipartmaxheaders</code>
+ setting.
+ <code>Reader.ReadForm</code<> further limits the number of parts in a form to 1000.
+ This limit may be adjusted with the <code>GODEBUG=multipartmaxparts</code>
+ setting.
+ </p>
+ </dd>
+</dl><!-- mime/multipart -->
<dl id="net"><dt><a href="/pkg/net/">net</a></dt>
<dd>
diff --git a/_content/doc/go1.20.html b/_content/doc/go1.20.html
index cea648c..5e44979 100644
--- a/_content/doc/go1.20.html
+++ b/_content/doc/go1.20.html
@@ -828,6 +828,16 @@
</dd>
</dl><!-- go/types -->
+<dl id="html/template"><dt><a href="/pkg/html/template/">html/template</a></dt>
+ <dd>
+ <p><!-- https://go.dev/issue/59153 --><!-- CL 481993 -->
+ Go 1.20.3 and later
+ <a href="/pkg/html/template#hdr-Security_Model">disallow actions in ECMAScript 6 template literals.</a>
+ This behavior can be reverted by the <code>GODEBUG=jstmpllitinterp=1</code> setting.
+ </p>
+ </dd>
+</dl><!-- html/template -->
+
<dl id="io"><dt><a href="/pkg/io/">io</a></dt>
<dd>
<p><!-- https://go.dev/issue/45899, CL 406776 -->
@@ -899,6 +909,18 @@
Methods of the <a href="/pkg/mime/multipart/#Reader"><code>Reader</code></a> type now wrap errors
returned by the underlying <code>io.Reader</code>.
</p>
+ <p><!-- https://go.dev/issue/59153 --><!-- CL 481985 -->
+ In Go 1.19.8 and later, this package sets limits the size
+ of the MIME data it processes to protect against malicious inputs.
+ <code>Reader.NextPart</code> and <code>Reader.NextRawPart</code> limit the
+ number of headers in a part to 10000 and <code>Reader.ReadForm</code> limits
+ the total number of headers in all <code>FileHeaders</code> to 10000.
+ These limits may be adjusted with the <code>GODEBUG=multipartmaxheaders</code>
+ setting.
+ <code>Reader.ReadForm</code<> further limits the number of parts in a form to 1000.
+ This limit may be adjusted with the <code>GODEBUG=multipartmaxparts</code>
+ setting.
+ </p>
</dd>
</dl><!-- mime/multipart -->