summaryrefslogtreecommitdiffstats
path: root/meta/recipes-devtools/go/go-1.14/CVE-2023-39318.patch
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-devtools/go/go-1.14/CVE-2023-39318.patch')
-rw-r--r--meta/recipes-devtools/go/go-1.14/CVE-2023-39318.patch262
1 files changed, 262 insertions, 0 deletions
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-39318.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-39318.patch
new file mode 100644
index 0000000000..00def8fcda
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-39318.patch
@@ -0,0 +1,262 @@
1From 023b542edf38e2a1f87fcefb9f75ff2f99401b4c Mon Sep 17 00:00:00 2001
2From: Roland Shoemaker <bracewell@google.com>
3Date: Thu, 3 Aug 2023 12:24:13 -0700
4Subject: [PATCH] [release-branch.go1.20] html/template: support HTML-like
5 comments in script contexts
6
7Per Appendix B.1.1 of the ECMAScript specification, support HTML-like
8comments in script contexts. Also per section 12.5, support hashbang
9comments. This brings our parsing in-line with how browsers treat these
10comment types.
11
12Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for
13reporting this issue.
14
15Fixes #62196
16Fixes #62395
17Fixes CVE-2023-39318
18
19Change-Id: Id512702c5de3ae46cf648e268cb10e1eb392a181
20Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1976593
21Run-TryBot: Roland Shoemaker <bracewell@google.com>
22Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
23Reviewed-by: Damien Neil <dneil@google.com>
24Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
25Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2014620
26Reviewed-on: https://go-review.googlesource.com/c/go/+/526098
27Run-TryBot: Cherry Mui <cherryyz@google.com>
28TryBot-Result: Gopher Robot <gobot@golang.org>
29
30Upstream-Status: Backport from [https://github.com/golang/go/commit/023b542edf38e2a1f87fcefb9f75ff2f99401b4c]
31CVE: CVE-2023-39318
32Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
33---
34 src/html/template/context.go | 6 ++-
35 src/html/template/escape.go | 5 +-
36 src/html/template/escape_test.go | 10 ++++
37 src/html/template/state_string.go | 26 +++++-----
38 src/html/template/transition.go | 80 ++++++++++++++++++++-----------
39 5 files changed, 84 insertions(+), 43 deletions(-)
40
41diff --git a/src/html/template/context.go b/src/html/template/context.go
42index 0b65313..4eb7891 100644
43--- a/src/html/template/context.go
44+++ b/src/html/template/context.go
45@@ -124,6 +124,10 @@ const (
46 stateJSBlockCmt
47 // stateJSLineCmt occurs inside a JavaScript // line comment.
48 stateJSLineCmt
49+ // stateJSHTMLOpenCmt occurs inside a JavaScript <!-- HTML-like comment.
50+ stateJSHTMLOpenCmt
51+ // stateJSHTMLCloseCmt occurs inside a JavaScript --> HTML-like comment.
52+ stateJSHTMLCloseCmt
53 // stateCSS occurs inside a <style> element or style attribute.
54 stateCSS
55 // stateCSSDqStr occurs inside a CSS double quoted string.
56@@ -149,7 +153,7 @@ const (
57 // authors & maintainers, not for end-users or machines.
58 func isComment(s state) bool {
59 switch s {
60- case stateHTMLCmt, stateJSBlockCmt, stateJSLineCmt, stateCSSBlockCmt, stateCSSLineCmt:
61+ case stateHTMLCmt, stateJSBlockCmt, stateJSLineCmt, stateJSHTMLOpenCmt, stateJSHTMLCloseCmt, stateCSSBlockCmt, stateCSSLineCmt:
62 return true
63 }
64 return false
65diff --git a/src/html/template/escape.go b/src/html/template/escape.go
66index 435f912..ad2ec69 100644
67--- a/src/html/template/escape.go
68+++ b/src/html/template/escape.go
69@@ -698,9 +698,12 @@ func (e *escaper) escapeText(c context, n *parse.TextNode) context {
70 if c.state != c1.state && isComment(c1.state) && c1.delim == delimNone {
71 // Preserve the portion between written and the comment start.
72 cs := i1 - 2
73- if c1.state == stateHTMLCmt {
74+ if c1.state == stateHTMLCmt || c1.state == stateJSHTMLOpenCmt {
75 // "<!--" instead of "/*" or "//"
76 cs -= 2
77+ } else if c1.state == stateJSHTMLCloseCmt {
78+ // "-->" instead of "/*" or "//"
79+ cs -= 1
80 }
81 b.Write(s[written:cs])
82 written = i1
83diff --git a/src/html/template/escape_test.go b/src/html/template/escape_test.go
84index f550691..5f41e52 100644
85--- a/src/html/template/escape_test.go
86+++ b/src/html/template/escape_test.go
87@@ -503,6 +503,16 @@ func TestEscape(t *testing.T) {
88 "<script>var a/*b*///c\nd</script>",
89 "<script>var a \nd</script>",
90 },
91+ {
92+ "JS HTML-like comments",
93+ "<script>before <!-- beep\nbetween\nbefore-->boop\n</script>",
94+ "<script>before \nbetween\nbefore\n</script>",
95+ },
96+ {
97+ "JS hashbang comment",
98+ "<script>#! beep\n</script>",
99+ "<script>\n</script>",
100+ },
101 {
102 "CSS comments",
103 "<style>p// paragraph\n" +
104diff --git a/src/html/template/state_string.go b/src/html/template/state_string.go
105index 05104be..b5cfe70 100644
106--- a/src/html/template/state_string.go
107+++ b/src/html/template/state_string.go
108@@ -25,21 +25,23 @@ func _() {
109 _ = x[stateJSRegexp-14]
110 _ = x[stateJSBlockCmt-15]
111 _ = x[stateJSLineCmt-16]
112- _ = x[stateCSS-17]
113- _ = x[stateCSSDqStr-18]
114- _ = x[stateCSSSqStr-19]
115- _ = x[stateCSSDqURL-20]
116- _ = x[stateCSSSqURL-21]
117- _ = x[stateCSSURL-22]
118- _ = x[stateCSSBlockCmt-23]
119- _ = x[stateCSSLineCmt-24]
120- _ = x[stateError-25]
121- _ = x[stateDead-26]
122+ _ = x[stateJSHTMLOpenCmt-17]
123+ _ = x[stateJSHTMLCloseCmt-18]
124+ _ = x[stateCSS-19]
125+ _ = x[stateCSSDqStr-20]
126+ _ = x[stateCSSSqStr-21]
127+ _ = x[stateCSSDqURL-22]
128+ _ = x[stateCSSSqURL-23]
129+ _ = x[stateCSSURL-24]
130+ _ = x[stateCSSBlockCmt-25]
131+ _ = x[stateCSSLineCmt-26]
132+ _ = x[stateError-27]
133+ _ = x[stateDead-28]
134 }
135
136-const _state_name = "stateTextstateTagstateAttrNamestateAfterNamestateBeforeValuestateHTMLCmtstateRCDATAstateAttrstateURLstateSrcsetstateJSstateJSDqStrstateJSSqStrstateJSBqStrstateJSRegexpstateJSBlockCmtstateJSLineCmtstateCSSstateCSSDqStrstateCSSSqStrstateCSSDqURLstateCSSSqURLstateCSSURLstateCSSBlockCmtstateCSSLineCmtstateErrorstateDead"
137+const _state_name = "stateTextstateTagstateAttrNamestateAfterNamestateBeforeValuestateHTMLCmtstateRCDATAstateAttrstateURLstateSrcsetstateJSstateJSDqStrstateJSSqStrstateJSBqStrstateJSRegexpstateJSBlockCmtstateJSLineCmtstateJSHTMLOpenCmtstateJSHTMLCloseCmtstateCSSstateCSSDqStrstateCSSSqStrstateCSSDqURLstateCSSSqURLstateCSSURLstateCSSBlockCmtstateCSSLineCmtstateErrorstateDead"
138
139-var _state_index = [...]uint16{0, 9, 17, 30, 44, 60, 72, 83, 92, 100, 111, 118, 130, 142, 154, 167, 182, 196, 204, 217, 230, 243, 256, 267, 283, 298, 308, 317}
140+var _state_index = [...]uint16{0, 9, 17, 30, 44, 60, 72, 83, 92, 100, 111, 118, 130, 142, 154, 167, 182, 196, 214, 233, 241, 254, 267, 280, 293, 304, 320, 335, 345, 354}
141
142 func (i state) String() string {
143 if i >= state(len(_state_index)-1) {
144diff --git a/src/html/template/transition.go b/src/html/template/transition.go
145index 92eb351..12aa4c4 100644
146--- a/src/html/template/transition.go
147+++ b/src/html/template/transition.go
148@@ -14,32 +14,34 @@ import (
149 // the updated context and the number of bytes consumed from the front of the
150 // input.
151 var transitionFunc = [...]func(context, []byte) (context, int){
152- stateText: tText,
153- stateTag: tTag,
154- stateAttrName: tAttrName,
155- stateAfterName: tAfterName,
156- stateBeforeValue: tBeforeValue,
157- stateHTMLCmt: tHTMLCmt,
158- stateRCDATA: tSpecialTagEnd,
159- stateAttr: tAttr,
160- stateURL: tURL,
161- stateSrcset: tURL,
162- stateJS: tJS,
163- stateJSDqStr: tJSDelimited,
164- stateJSSqStr: tJSDelimited,
165- stateJSBqStr: tJSDelimited,
166- stateJSRegexp: tJSDelimited,
167- stateJSBlockCmt: tBlockCmt,
168- stateJSLineCmt: tLineCmt,
169- stateCSS: tCSS,
170- stateCSSDqStr: tCSSStr,
171- stateCSSSqStr: tCSSStr,
172- stateCSSDqURL: tCSSStr,
173- stateCSSSqURL: tCSSStr,
174- stateCSSURL: tCSSStr,
175- stateCSSBlockCmt: tBlockCmt,
176- stateCSSLineCmt: tLineCmt,
177- stateError: tError,
178+ stateText: tText,
179+ stateTag: tTag,
180+ stateAttrName: tAttrName,
181+ stateAfterName: tAfterName,
182+ stateBeforeValue: tBeforeValue,
183+ stateHTMLCmt: tHTMLCmt,
184+ stateRCDATA: tSpecialTagEnd,
185+ stateAttr: tAttr,
186+ stateURL: tURL,
187+ stateSrcset: tURL,
188+ stateJS: tJS,
189+ stateJSDqStr: tJSDelimited,
190+ stateJSSqStr: tJSDelimited,
191+ stateJSBqStr: tJSDelimited,
192+ stateJSRegexp: tJSDelimited,
193+ stateJSBlockCmt: tBlockCmt,
194+ stateJSLineCmt: tLineCmt,
195+ stateJSHTMLOpenCmt: tLineCmt,
196+ stateJSHTMLCloseCmt: tLineCmt,
197+ stateCSS: tCSS,
198+ stateCSSDqStr: tCSSStr,
199+ stateCSSSqStr: tCSSStr,
200+ stateCSSDqURL: tCSSStr,
201+ stateCSSSqURL: tCSSStr,
202+ stateCSSURL: tCSSStr,
203+ stateCSSBlockCmt: tBlockCmt,
204+ stateCSSLineCmt: tLineCmt,
205+ stateError: tError,
206 }
207
208 var commentStart = []byte("<!--")
209@@ -263,7 +265,7 @@ func tURL(c context, s []byte) (context, int) {
210
211 // tJS is the context transition function for the JS state.
212 func tJS(c context, s []byte) (context, int) {
213- i := bytes.IndexAny(s, "\"`'/")
214+ i := bytes.IndexAny(s, "\"`'/<-#")
215 if i == -1 {
216 // Entire input is non string, comment, regexp tokens.
217 c.jsCtx = nextJSCtx(s, c.jsCtx)
218@@ -293,6 +295,26 @@ func tJS(c context, s []byte) (context, int) {
219 err: errorf(ErrSlashAmbig, nil, 0, "'/' could start a division or regexp: %.32q", s[i:]),
220 }, len(s)
221 }
222+ // ECMAScript supports HTML style comments for legacy reasons, see Appendix
223+ // B.1.1 "HTML-like Comments". The handling of these comments is somewhat
224+ // confusing. Multi-line comments are not supported, i.e. anything on lines
225+ // between the opening and closing tokens is not considered a comment, but
226+ // anything following the opening or closing token, on the same line, is
227+ // ignored. As such we simply treat any line prefixed with "<!--" or "-->"
228+ // as if it were actually prefixed with "//" and move on.
229+ case '<':
230+ if i+3 < len(s) && bytes.Equal(commentStart, s[i:i+4]) {
231+ c.state, i = stateJSHTMLOpenCmt, i+3
232+ }
233+ case '-':
234+ if i+2 < len(s) && bytes.Equal(commentEnd, s[i:i+3]) {
235+ c.state, i = stateJSHTMLCloseCmt, i+2
236+ }
237+ // ECMAScript also supports "hashbang" comment lines, see Section 12.5.
238+ case '#':
239+ if i+1 < len(s) && s[i+1] == '!' {
240+ c.state, i = stateJSLineCmt, i+1
241+ }
242 default:
243 panic("unreachable")
244 }
245@@ -372,12 +394,12 @@ func tBlockCmt(c context, s []byte) (context, int) {
246 return c, i + 2
247 }
248
249-// tLineCmt is the context transition function for //comment states.
250+// tLineCmt is the context transition function for //comment states, and the JS HTML-like comment state.
251 func tLineCmt(c context, s []byte) (context, int) {
252 var lineTerminators string
253 var endState state
254 switch c.state {
255- case stateJSLineCmt:
256+ case stateJSLineCmt, stateJSHTMLOpenCmt, stateJSHTMLCloseCmt:
257 lineTerminators, endState = "\n\r\u2028\u2029", stateJS
258 case stateCSSLineCmt:
259 lineTerminators, endState = "\n\f\r", stateCSS
260--
2612.24.4
262