diff options
Diffstat (limited to 'meta/recipes-devtools/go/go-1.14/0004-CVE-2022-32190.patch')
-rw-r--r-- | meta/recipes-devtools/go/go-1.14/0004-CVE-2022-32190.patch | 82 |
1 files changed, 82 insertions, 0 deletions
diff --git a/meta/recipes-devtools/go/go-1.14/0004-CVE-2022-32190.patch b/meta/recipes-devtools/go/go-1.14/0004-CVE-2022-32190.patch new file mode 100644 index 0000000000..4bdff3aed4 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/0004-CVE-2022-32190.patch | |||
@@ -0,0 +1,82 @@ | |||
1 | From f61e428699cbb52bab31fe2c124f49d085a209fe Mon Sep 17 00:00:00 2001 | ||
2 | From: Damien Neil <dneil@google.com> | ||
3 | Date: Fri, 12 Aug 2022 16:21:09 -0700 | ||
4 | Subject: [PATCH 4/4] net/url: consistently remove ../ elements in JoinPath | ||
5 | |||
6 | JoinPath would fail to remove relative elements from the start of | ||
7 | the path when the first path element is "". | ||
8 | |||
9 | In addition, JoinPath would return the original path unmodified | ||
10 | when provided with no elements to join, violating the documented | ||
11 | behavior of always cleaning the resulting path. | ||
12 | |||
13 | Correct both these cases. | ||
14 | |||
15 | JoinPath("http://go.dev", "../go") | ||
16 | // before: http://go.dev/../go | ||
17 | // after: http://go.dev/go | ||
18 | |||
19 | JoinPath("http://go.dev/../go") | ||
20 | // before: http://go.dev/../go | ||
21 | // after: http://go.dev/go | ||
22 | |||
23 | For #54385. | ||
24 | Fixes #54635. | ||
25 | Fixes CVE-2022-32190. | ||
26 | |||
27 | Change-Id: I6d22cd160d097c50703dd96e4f453c6c118fd5d9 | ||
28 | Reviewed-on: https://go-review.googlesource.com/c/go/+/423514 | ||
29 | Reviewed-by: David Chase <drchase@google.com> | ||
30 | Reviewed-by: Alan Donovan <adonovan@google.com> | ||
31 | (cherry picked from commit 0765da5884adcc8b744979303a36a27092d8fc51) | ||
32 | Reviewed-on: https://go-review.googlesource.com/c/go/+/425357 | ||
33 | Run-TryBot: Damien Neil <dneil@google.com> | ||
34 | TryBot-Result: Gopher Robot <gobot@golang.org> | ||
35 | |||
36 | Upstream-Status: Backport [https://github.com/golang/go/commit/28335508913a46e05ef0c04a18e8a1a6beb775ec] | ||
37 | CVE: CVE-2022-32190 | ||
38 | Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> | ||
39 | --- | ||
40 | src/net/url/url.go | 26 ++++++++++++++++---------- | ||
41 | 1 file changed, 16 insertions(+), 10 deletions(-) | ||
42 | |||
43 | diff --git a/src/net/url/url.go b/src/net/url/url.go | ||
44 | index 73079a5..1e8baf9 100644 | ||
45 | --- a/src/net/url/url.go | ||
46 | +++ b/src/net/url/url.go | ||
47 | @@ -1109,17 +1109,23 @@ func (u *URL) UnmarshalBinary(text []byte) error { | ||
48 | // any existing path and the resulting path cleaned of any ./ or ../ elements. | ||
49 | // Any sequences of multiple / characters will be reduced to a single /. | ||
50 | func (u *URL) JoinPath(elem ...string) *URL { | ||
51 | - url := *u | ||
52 | - if len(elem) > 0 { | ||
53 | - elem = append([]string{u.EscapedPath()}, elem...) | ||
54 | - p := path.Join(elem...) | ||
55 | - // path.Join will remove any trailing slashes. | ||
56 | - // Preserve at least one. | ||
57 | - if strings.HasSuffix(elem[len(elem)-1], "/") && !strings.HasSuffix(p, "/") { | ||
58 | - p += "/" | ||
59 | - } | ||
60 | - url.setPath(p) | ||
61 | + elem = append([]string{u.EscapedPath()}, elem...) | ||
62 | + var p string | ||
63 | + if !strings.HasPrefix(elem[0], "/") { | ||
64 | + // Return a relative path if u is relative, | ||
65 | + // but ensure that it contains no ../ elements. | ||
66 | + elem[0] = "/" + elem[0] | ||
67 | + p = path.Join(elem...)[1:] | ||
68 | + } else { | ||
69 | + p = path.Join(elem...) | ||
70 | } | ||
71 | + // path.Join will remove any trailing slashes. | ||
72 | + // Preserve at least one. | ||
73 | + if strings.HasSuffix(elem[len(elem)-1], "/") && !strings.HasSuffix(p, "/") { | ||
74 | + p += "/" | ||
75 | + } | ||
76 | + url := *u | ||
77 | + url.setPath(p) | ||
78 | return &url | ||
79 | } | ||
80 | |||
81 | -- | ||
82 | 2.7.4 | ||