diff options
author | Shubham Kulkarni <skulkarni@mvista.com> | 2023-05-02 21:40:12 +0530 |
---|---|---|
committer | Steve Sakoman <steve@sakoman.com> | 2023-05-16 06:18:21 -1000 |
commit | 79dcce4413fc4c785c7ed562dd2e7ca91fe9d68c (patch) | |
tree | a3c11a641268b23c2324cdfab7701fc1ec8af1e1 /meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch | |
parent | a631bfc3a38f7d00b2c666661a89a758a0af9831 (diff) | |
download | poky-79dcce4413fc4c785c7ed562dd2e7ca91fe9d68c.tar.gz |
go: Security fix for CVE-2023-24538
html/template: disallow actions in JS template literals
Backport from https://github.com/golang/go/commit/b1e3ecfa06b67014429a197ec5e134ce4303ad9b
(From OE-Core rev: c8a597b76505dab7649f4c9b18e1e14b0e3d57af)
Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch')
-rw-r--r-- | meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch | 196 |
1 files changed, 196 insertions, 0 deletions
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch new file mode 100644 index 0000000000..5036f2890b --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch | |||
@@ -0,0 +1,196 @@ | |||
1 | From 6fc21505614f36178df0dad7034b6b8e3f7588d5 Mon Sep 17 00:00:00 2001 | ||
2 | From: empijei <robclap8@gmail.com> | ||
3 | Date: Fri, 27 Mar 2020 19:27:55 +0100 | ||
4 | Subject: [PATCH 2/3] html/template,text/template: switch to Unicode escapes | ||
5 | for JSON compatibility | ||
6 | MIME-Version: 1.0 | ||
7 | Content-Type: text/plain; charset=UTF-8 | ||
8 | Content-Transfer-Encoding: 8bit | ||
9 | |||
10 | The existing implementation is not compatible with JSON | ||
11 | escape as it uses hex escaping. | ||
12 | Unicode escape, instead, is valid for both JSON and JS. | ||
13 | This fix avoids creating a separate escaping context for | ||
14 | scripts of type "application/ld+json" and it is more | ||
15 | future-proof in case more JSON+JS contexts get added | ||
16 | to the platform (e.g. import maps). | ||
17 | |||
18 | Fixes #33671 | ||
19 | Fixes #37634 | ||
20 | |||
21 | Change-Id: Id6f6524b4abc52e81d9d744d46bbe5bf2e081543 | ||
22 | Reviewed-on: https://go-review.googlesource.com/c/go/+/226097 | ||
23 | Reviewed-by: Carl Johnson <me@carlmjohnson.net> | ||
24 | Reviewed-by: Daniel Martà <mvdan@mvdan.cc> | ||
25 | Run-TryBot: Daniel Martà <mvdan@mvdan.cc> | ||
26 | TryBot-Result: Gobot Gobot <gobot@golang.org> | ||
27 | |||
28 | Dependency Patch #2 | ||
29 | |||
30 | Upstream-Status: Backport from https://github.com/golang/go/commit/d4d298040d072ddacea0e0d6b55fb148fff18070 | ||
31 | CVE: CVE-2023-24538 | ||
32 | Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> | ||
33 | --- | ||
34 | src/html/template/js.go | 70 +++++++++++++++++++++++++++------------------- | ||
35 | src/text/template/funcs.go | 8 +++--- | ||
36 | 2 files changed, 46 insertions(+), 32 deletions(-) | ||
37 | |||
38 | diff --git a/src/html/template/js.go b/src/html/template/js.go | ||
39 | index 0e91458..ea9c183 100644 | ||
40 | --- a/src/html/template/js.go | ||
41 | +++ b/src/html/template/js.go | ||
42 | @@ -163,7 +163,6 @@ func jsValEscaper(args ...interface{}) string { | ||
43 | } | ||
44 | // TODO: detect cycles before calling Marshal which loops infinitely on | ||
45 | // cyclic data. This may be an unacceptable DoS risk. | ||
46 | - | ||
47 | b, err := json.Marshal(a) | ||
48 | if err != nil { | ||
49 | // Put a space before comment so that if it is flush against | ||
50 | @@ -178,8 +177,8 @@ func jsValEscaper(args ...interface{}) string { | ||
51 | // TODO: maybe post-process output to prevent it from containing | ||
52 | // "<!--", "-->", "<![CDATA[", "]]>", or "</script" | ||
53 | // in case custom marshalers produce output containing those. | ||
54 | - | ||
55 | - // TODO: Maybe abbreviate \u00ab to \xab to produce more compact output. | ||
56 | + // Note: Do not use \x escaping to save bytes because it is not JSON compatible and this escaper | ||
57 | + // supports ld+json content-type. | ||
58 | if len(b) == 0 { | ||
59 | // In, `x=y/{{.}}*z` a json.Marshaler that produces "" should | ||
60 | // not cause the output `x=y/*z`. | ||
61 | @@ -260,6 +259,8 @@ func replace(s string, replacementTable []string) string { | ||
62 | r, w = utf8.DecodeRuneInString(s[i:]) | ||
63 | var repl string | ||
64 | switch { | ||
65 | + case int(r) < len(lowUnicodeReplacementTable): | ||
66 | + repl = lowUnicodeReplacementTable[r] | ||
67 | case int(r) < len(replacementTable) && replacementTable[r] != "": | ||
68 | repl = replacementTable[r] | ||
69 | case r == '\u2028': | ||
70 | @@ -283,67 +284,80 @@ func replace(s string, replacementTable []string) string { | ||
71 | return b.String() | ||
72 | } | ||
73 | |||
74 | +var lowUnicodeReplacementTable = []string{ | ||
75 | + 0: `\u0000`, 1: `\u0001`, 2: `\u0002`, 3: `\u0003`, 4: `\u0004`, 5: `\u0005`, 6: `\u0006`, | ||
76 | + '\a': `\u0007`, | ||
77 | + '\b': `\u0008`, | ||
78 | + '\t': `\t`, | ||
79 | + '\n': `\n`, | ||
80 | + '\v': `\u000b`, // "\v" == "v" on IE 6. | ||
81 | + '\f': `\f`, | ||
82 | + '\r': `\r`, | ||
83 | + 0xe: `\u000e`, 0xf: `\u000f`, 0x10: `\u0010`, 0x11: `\u0011`, 0x12: `\u0012`, 0x13: `\u0013`, | ||
84 | + 0x14: `\u0014`, 0x15: `\u0015`, 0x16: `\u0016`, 0x17: `\u0017`, 0x18: `\u0018`, 0x19: `\u0019`, | ||
85 | + 0x1a: `\u001a`, 0x1b: `\u001b`, 0x1c: `\u001c`, 0x1d: `\u001d`, 0x1e: `\u001e`, 0x1f: `\u001f`, | ||
86 | +} | ||
87 | + | ||
88 | var jsStrReplacementTable = []string{ | ||
89 | - 0: `\0`, | ||
90 | + 0: `\u0000`, | ||
91 | '\t': `\t`, | ||
92 | '\n': `\n`, | ||
93 | - '\v': `\x0b`, // "\v" == "v" on IE 6. | ||
94 | + '\v': `\u000b`, // "\v" == "v" on IE 6. | ||
95 | '\f': `\f`, | ||
96 | '\r': `\r`, | ||
97 | // Encode HTML specials as hex so the output can be embedded | ||
98 | // in HTML attributes without further encoding. | ||
99 | - '"': `\x22`, | ||
100 | - '&': `\x26`, | ||
101 | - '\'': `\x27`, | ||
102 | - '+': `\x2b`, | ||
103 | + '"': `\u0022`, | ||
104 | + '&': `\u0026`, | ||
105 | + '\'': `\u0027`, | ||
106 | + '+': `\u002b`, | ||
107 | '/': `\/`, | ||
108 | - '<': `\x3c`, | ||
109 | - '>': `\x3e`, | ||
110 | + '<': `\u003c`, | ||
111 | + '>': `\u003e`, | ||
112 | '\\': `\\`, | ||
113 | } | ||
114 | |||
115 | // jsStrNormReplacementTable is like jsStrReplacementTable but does not | ||
116 | // overencode existing escapes since this table has no entry for `\`. | ||
117 | var jsStrNormReplacementTable = []string{ | ||
118 | - 0: `\0`, | ||
119 | + 0: `\u0000`, | ||
120 | '\t': `\t`, | ||
121 | '\n': `\n`, | ||
122 | - '\v': `\x0b`, // "\v" == "v" on IE 6. | ||
123 | + '\v': `\u000b`, // "\v" == "v" on IE 6. | ||
124 | '\f': `\f`, | ||
125 | '\r': `\r`, | ||
126 | // Encode HTML specials as hex so the output can be embedded | ||
127 | // in HTML attributes without further encoding. | ||
128 | - '"': `\x22`, | ||
129 | - '&': `\x26`, | ||
130 | - '\'': `\x27`, | ||
131 | - '+': `\x2b`, | ||
132 | + '"': `\u0022`, | ||
133 | + '&': `\u0026`, | ||
134 | + '\'': `\u0027`, | ||
135 | + '+': `\u002b`, | ||
136 | '/': `\/`, | ||
137 | - '<': `\x3c`, | ||
138 | - '>': `\x3e`, | ||
139 | + '<': `\u003c`, | ||
140 | + '>': `\u003e`, | ||
141 | } | ||
142 | - | ||
143 | var jsRegexpReplacementTable = []string{ | ||
144 | - 0: `\0`, | ||
145 | + 0: `\u0000`, | ||
146 | '\t': `\t`, | ||
147 | '\n': `\n`, | ||
148 | - '\v': `\x0b`, // "\v" == "v" on IE 6. | ||
149 | + '\v': `\u000b`, // "\v" == "v" on IE 6. | ||
150 | '\f': `\f`, | ||
151 | '\r': `\r`, | ||
152 | // Encode HTML specials as hex so the output can be embedded | ||
153 | // in HTML attributes without further encoding. | ||
154 | - '"': `\x22`, | ||
155 | + '"': `\u0022`, | ||
156 | '$': `\$`, | ||
157 | - '&': `\x26`, | ||
158 | - '\'': `\x27`, | ||
159 | + '&': `\u0026`, | ||
160 | + '\'': `\u0027`, | ||
161 | '(': `\(`, | ||
162 | ')': `\)`, | ||
163 | '*': `\*`, | ||
164 | - '+': `\x2b`, | ||
165 | + '+': `\u002b`, | ||
166 | '-': `\-`, | ||
167 | '.': `\.`, | ||
168 | '/': `\/`, | ||
169 | - '<': `\x3c`, | ||
170 | - '>': `\x3e`, | ||
171 | + '<': `\u003c`, | ||
172 | + '>': `\u003e`, | ||
173 | '?': `\?`, | ||
174 | '[': `\[`, | ||
175 | '\\': `\\`, | ||
176 | diff --git a/src/text/template/funcs.go b/src/text/template/funcs.go | ||
177 | index 46125bc..f3de9fb 100644 | ||
178 | --- a/src/text/template/funcs.go | ||
179 | +++ b/src/text/template/funcs.go | ||
180 | @@ -640,10 +640,10 @@ var ( | ||
181 | jsBackslash = []byte(`\\`) | ||
182 | jsApos = []byte(`\'`) | ||
183 | jsQuot = []byte(`\"`) | ||
184 | - jsLt = []byte(`\x3C`) | ||
185 | - jsGt = []byte(`\x3E`) | ||
186 | - jsAmp = []byte(`\x26`) | ||
187 | - jsEq = []byte(`\x3D`) | ||
188 | + jsLt = []byte(`\u003C`) | ||
189 | + jsGt = []byte(`\u003E`) | ||
190 | + jsAmp = []byte(`\u0026`) | ||
191 | + jsEq = []byte(`\u003D`) | ||
192 | ) | ||
193 | |||
194 | // JSEscape writes to w the escaped JavaScript equivalent of the plain text data b. | ||
195 | -- | ||
196 | 2.7.4 | ||