diff options
Diffstat (limited to 'meta/recipes-devtools/go/go-1.14/CVE-2023-29400.patch')
-rw-r--r-- | meta/recipes-devtools/go/go-1.14/CVE-2023-29400.patch | 94 |
1 files changed, 94 insertions, 0 deletions
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-29400.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-29400.patch new file mode 100644 index 0000000000..092c7aa0ff --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-29400.patch | |||
@@ -0,0 +1,94 @@ | |||
1 | From 0d347544cbca0f42b160424f6bc2458ebcc7b3fc Mon Sep 17 00:00:00 2001 | ||
2 | From: Roland Shoemaker <bracewell@google.com> | ||
3 | Date: Thu, 13 Apr 2023 14:01:50 -0700 | ||
4 | Subject: [PATCH] html/template: emit filterFailsafe for empty unquoted attr | ||
5 | value | ||
6 | |||
7 | An unquoted action used as an attribute value can result in unsafe | ||
8 | behavior if it is empty, as HTML normalization will result in unexpected | ||
9 | attributes, and may allow attribute injection. If executing a template | ||
10 | results in a empty unquoted attribute value, emit filterFailsafe | ||
11 | instead. | ||
12 | |||
13 | Thanks to Juho Nurminen of Mattermost for reporting this issue. | ||
14 | |||
15 | Fixes #59722 | ||
16 | Fixes CVE-2023-29400 | ||
17 | |||
18 | Change-Id: Ia38d1b536ae2b4af5323a6c6d861e3c057c2570a | ||
19 | Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1826631 | ||
20 | Reviewed-by: Julie Qiu <julieqiu@google.com> | ||
21 | Run-TryBot: Roland Shoemaker <bracewell@google.com> | ||
22 | Reviewed-by: Damien Neil <dneil@google.com> | ||
23 | Reviewed-on: https://go-review.googlesource.com/c/go/+/491617 | ||
24 | Run-TryBot: Carlos Amedee <carlos@golang.org> | ||
25 | Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org> | ||
26 | Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> | ||
27 | TryBot-Result: Gopher Robot <gobot@golang.org> | ||
28 | |||
29 | Upstream-Status: Backport from [https://github.com/golang/go/commit/0d347544cbca0f42b160424f6bc2458ebcc7b3fc] | ||
30 | CVE: CVE-2023-29400 | ||
31 | Signed-off-by: Ashish Sharma <asharma@mvista.com> | ||
32 | --- | ||
33 | src/html/template/escape.go | 5 ++--- | ||
34 | src/html/template/escape_test.go | 15 +++++++++++++++ | ||
35 | src/html/template/html.go | 3 +++ | ||
36 | 3 files changed, 20 insertions(+), 3 deletions(-) | ||
37 | |||
38 | diff --git a/src/html/template/escape.go b/src/html/template/escape.go | ||
39 | index 4ba1d6b31897e..a62ef159f0dcd 100644 | ||
40 | --- a/src/html/template/escape.go | ||
41 | +++ b/src/html/template/escape.go | ||
42 | @@ -382,9 +382,8 @@ func normalizeEscFn(e string) string { | ||
43 | // for all x. | ||
44 | var redundantFuncs = map[string]map[string]bool{ | ||
45 | "_html_template_commentescaper": { | ||
46 | - "_html_template_attrescaper": true, | ||
47 | - "_html_template_nospaceescaper": true, | ||
48 | - "_html_template_htmlescaper": true, | ||
49 | + "_html_template_attrescaper": true, | ||
50 | + "_html_template_htmlescaper": true, | ||
51 | }, | ||
52 | "_html_template_cssescaper": { | ||
53 | "_html_template_attrescaper": true, | ||
54 | diff --git a/src/html/template/escape_test.go b/src/html/template/escape_test.go | ||
55 | index 3dd212bac9406..f8b2b448f2dfa 100644 | ||
56 | --- a/src/html/template/escape_test.go | ||
57 | +++ b/src/html/template/escape_test.go | ||
58 | @@ -678,6 +678,21 @@ func TestEscape(t *testing.T) { | ||
59 | `<img srcset={{",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"}}>`, | ||
60 | `<img srcset=,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,>`, | ||
61 | }, | ||
62 | + { | ||
63 | + "unquoted empty attribute value (plaintext)", | ||
64 | + "<p name={{.U}}>", | ||
65 | + "<p name=ZgotmplZ>", | ||
66 | + }, | ||
67 | + { | ||
68 | + "unquoted empty attribute value (url)", | ||
69 | + "<p href={{.U}}>", | ||
70 | + "<p href=ZgotmplZ>", | ||
71 | + }, | ||
72 | + { | ||
73 | + "quoted empty attribute value", | ||
74 | + "<p name=\"{{.U}}\">", | ||
75 | + "<p name=\"\">", | ||
76 | + }, | ||
77 | } | ||
78 | |||
79 | for _, test := range tests { | ||
80 | diff --git a/src/html/template/html.go b/src/html/template/html.go | ||
81 | index bcca0b51a0ef9..a181699a5bda8 100644 | ||
82 | --- a/src/html/template/html.go | ||
83 | +++ b/src/html/template/html.go | ||
84 | @@ -14,6 +14,9 @@ import ( | ||
85 | // htmlNospaceEscaper escapes for inclusion in unquoted attribute values. | ||
86 | func htmlNospaceEscaper(args ...interface{}) string { | ||
87 | s, t := stringify(args...) | ||
88 | + if s == "" { | ||
89 | + return filterFailsafe | ||
90 | + } | ||
91 | if t == contentTypeHTML { | ||
92 | return htmlReplacer(stripTags(s), htmlNospaceNormReplacementTable, false) | ||
93 | } | ||
94 | |||