diff options
Diffstat (limited to 'meta/recipes-devtools/go/go-1.14/CVE-2023-39318.patch')
-rw-r--r-- | meta/recipes-devtools/go/go-1.14/CVE-2023-39318.patch | 262 |
1 files changed, 262 insertions, 0 deletions
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-39318.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-39318.patch new file mode 100644 index 0000000000..00def8fcda --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-39318.patch | |||
@@ -0,0 +1,262 @@ | |||
1 | From 023b542edf38e2a1f87fcefb9f75ff2f99401b4c Mon Sep 17 00:00:00 2001 | ||
2 | From: Roland Shoemaker <bracewell@google.com> | ||
3 | Date: Thu, 3 Aug 2023 12:24:13 -0700 | ||
4 | Subject: [PATCH] [release-branch.go1.20] html/template: support HTML-like | ||
5 | comments in script contexts | ||
6 | |||
7 | Per Appendix B.1.1 of the ECMAScript specification, support HTML-like | ||
8 | comments in script contexts. Also per section 12.5, support hashbang | ||
9 | comments. This brings our parsing in-line with how browsers treat these | ||
10 | comment types. | ||
11 | |||
12 | Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for | ||
13 | reporting this issue. | ||
14 | |||
15 | Fixes #62196 | ||
16 | Fixes #62395 | ||
17 | Fixes CVE-2023-39318 | ||
18 | |||
19 | Change-Id: Id512702c5de3ae46cf648e268cb10e1eb392a181 | ||
20 | Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1976593 | ||
21 | Run-TryBot: Roland Shoemaker <bracewell@google.com> | ||
22 | Reviewed-by: Tatiana Bradley <tatianabradley@google.com> | ||
23 | Reviewed-by: Damien Neil <dneil@google.com> | ||
24 | Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> | ||
25 | Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2014620 | ||
26 | Reviewed-on: https://go-review.googlesource.com/c/go/+/526098 | ||
27 | Run-TryBot: Cherry Mui <cherryyz@google.com> | ||
28 | TryBot-Result: Gopher Robot <gobot@golang.org> | ||
29 | |||
30 | Upstream-Status: Backport from [https://github.com/golang/go/commit/023b542edf38e2a1f87fcefb9f75ff2f99401b4c] | ||
31 | CVE: CVE-2023-39318 | ||
32 | Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> | ||
33 | --- | ||
34 | src/html/template/context.go | 6 ++- | ||
35 | src/html/template/escape.go | 5 +- | ||
36 | src/html/template/escape_test.go | 10 ++++ | ||
37 | src/html/template/state_string.go | 26 +++++----- | ||
38 | src/html/template/transition.go | 80 ++++++++++++++++++++----------- | ||
39 | 5 files changed, 84 insertions(+), 43 deletions(-) | ||
40 | |||
41 | diff --git a/src/html/template/context.go b/src/html/template/context.go | ||
42 | index 0b65313..4eb7891 100644 | ||
43 | --- a/src/html/template/context.go | ||
44 | +++ b/src/html/template/context.go | ||
45 | @@ -124,6 +124,10 @@ const ( | ||
46 | stateJSBlockCmt | ||
47 | // stateJSLineCmt occurs inside a JavaScript // line comment. | ||
48 | stateJSLineCmt | ||
49 | + // stateJSHTMLOpenCmt occurs inside a JavaScript <!-- HTML-like comment. | ||
50 | + stateJSHTMLOpenCmt | ||
51 | + // stateJSHTMLCloseCmt occurs inside a JavaScript --> HTML-like comment. | ||
52 | + stateJSHTMLCloseCmt | ||
53 | // stateCSS occurs inside a <style> element or style attribute. | ||
54 | stateCSS | ||
55 | // stateCSSDqStr occurs inside a CSS double quoted string. | ||
56 | @@ -149,7 +153,7 @@ const ( | ||
57 | // authors & maintainers, not for end-users or machines. | ||
58 | func isComment(s state) bool { | ||
59 | switch s { | ||
60 | - case stateHTMLCmt, stateJSBlockCmt, stateJSLineCmt, stateCSSBlockCmt, stateCSSLineCmt: | ||
61 | + case stateHTMLCmt, stateJSBlockCmt, stateJSLineCmt, stateJSHTMLOpenCmt, stateJSHTMLCloseCmt, stateCSSBlockCmt, stateCSSLineCmt: | ||
62 | return true | ||
63 | } | ||
64 | return false | ||
65 | diff --git a/src/html/template/escape.go b/src/html/template/escape.go | ||
66 | index 435f912..ad2ec69 100644 | ||
67 | --- a/src/html/template/escape.go | ||
68 | +++ b/src/html/template/escape.go | ||
69 | @@ -698,9 +698,12 @@ func (e *escaper) escapeText(c context, n *parse.TextNode) context { | ||
70 | if c.state != c1.state && isComment(c1.state) && c1.delim == delimNone { | ||
71 | // Preserve the portion between written and the comment start. | ||
72 | cs := i1 - 2 | ||
73 | - if c1.state == stateHTMLCmt { | ||
74 | + if c1.state == stateHTMLCmt || c1.state == stateJSHTMLOpenCmt { | ||
75 | // "<!--" instead of "/*" or "//" | ||
76 | cs -= 2 | ||
77 | + } else if c1.state == stateJSHTMLCloseCmt { | ||
78 | + // "-->" instead of "/*" or "//" | ||
79 | + cs -= 1 | ||
80 | } | ||
81 | b.Write(s[written:cs]) | ||
82 | written = i1 | ||
83 | diff --git a/src/html/template/escape_test.go b/src/html/template/escape_test.go | ||
84 | index f550691..5f41e52 100644 | ||
85 | --- a/src/html/template/escape_test.go | ||
86 | +++ b/src/html/template/escape_test.go | ||
87 | @@ -503,6 +503,16 @@ func TestEscape(t *testing.T) { | ||
88 | "<script>var a/*b*///c\nd</script>", | ||
89 | "<script>var a \nd</script>", | ||
90 | }, | ||
91 | + { | ||
92 | + "JS HTML-like comments", | ||
93 | + "<script>before <!-- beep\nbetween\nbefore-->boop\n</script>", | ||
94 | + "<script>before \nbetween\nbefore\n</script>", | ||
95 | + }, | ||
96 | + { | ||
97 | + "JS hashbang comment", | ||
98 | + "<script>#! beep\n</script>", | ||
99 | + "<script>\n</script>", | ||
100 | + }, | ||
101 | { | ||
102 | "CSS comments", | ||
103 | "<style>p// paragraph\n" + | ||
104 | diff --git a/src/html/template/state_string.go b/src/html/template/state_string.go | ||
105 | index 05104be..b5cfe70 100644 | ||
106 | --- a/src/html/template/state_string.go | ||
107 | +++ b/src/html/template/state_string.go | ||
108 | @@ -25,21 +25,23 @@ func _() { | ||
109 | _ = x[stateJSRegexp-14] | ||
110 | _ = x[stateJSBlockCmt-15] | ||
111 | _ = x[stateJSLineCmt-16] | ||
112 | - _ = x[stateCSS-17] | ||
113 | - _ = x[stateCSSDqStr-18] | ||
114 | - _ = x[stateCSSSqStr-19] | ||
115 | - _ = x[stateCSSDqURL-20] | ||
116 | - _ = x[stateCSSSqURL-21] | ||
117 | - _ = x[stateCSSURL-22] | ||
118 | - _ = x[stateCSSBlockCmt-23] | ||
119 | - _ = x[stateCSSLineCmt-24] | ||
120 | - _ = x[stateError-25] | ||
121 | - _ = x[stateDead-26] | ||
122 | + _ = x[stateJSHTMLOpenCmt-17] | ||
123 | + _ = x[stateJSHTMLCloseCmt-18] | ||
124 | + _ = x[stateCSS-19] | ||
125 | + _ = x[stateCSSDqStr-20] | ||
126 | + _ = x[stateCSSSqStr-21] | ||
127 | + _ = x[stateCSSDqURL-22] | ||
128 | + _ = x[stateCSSSqURL-23] | ||
129 | + _ = x[stateCSSURL-24] | ||
130 | + _ = x[stateCSSBlockCmt-25] | ||
131 | + _ = x[stateCSSLineCmt-26] | ||
132 | + _ = x[stateError-27] | ||
133 | + _ = x[stateDead-28] | ||
134 | } | ||
135 | |||
136 | -const _state_name = "stateTextstateTagstateAttrNamestateAfterNamestateBeforeValuestateHTMLCmtstateRCDATAstateAttrstateURLstateSrcsetstateJSstateJSDqStrstateJSSqStrstateJSBqStrstateJSRegexpstateJSBlockCmtstateJSLineCmtstateCSSstateCSSDqStrstateCSSSqStrstateCSSDqURLstateCSSSqURLstateCSSURLstateCSSBlockCmtstateCSSLineCmtstateErrorstateDead" | ||
137 | +const _state_name = "stateTextstateTagstateAttrNamestateAfterNamestateBeforeValuestateHTMLCmtstateRCDATAstateAttrstateURLstateSrcsetstateJSstateJSDqStrstateJSSqStrstateJSBqStrstateJSRegexpstateJSBlockCmtstateJSLineCmtstateJSHTMLOpenCmtstateJSHTMLCloseCmtstateCSSstateCSSDqStrstateCSSSqStrstateCSSDqURLstateCSSSqURLstateCSSURLstateCSSBlockCmtstateCSSLineCmtstateErrorstateDead" | ||
138 | |||
139 | -var _state_index = [...]uint16{0, 9, 17, 30, 44, 60, 72, 83, 92, 100, 111, 118, 130, 142, 154, 167, 182, 196, 204, 217, 230, 243, 256, 267, 283, 298, 308, 317} | ||
140 | +var _state_index = [...]uint16{0, 9, 17, 30, 44, 60, 72, 83, 92, 100, 111, 118, 130, 142, 154, 167, 182, 196, 214, 233, 241, 254, 267, 280, 293, 304, 320, 335, 345, 354} | ||
141 | |||
142 | func (i state) String() string { | ||
143 | if i >= state(len(_state_index)-1) { | ||
144 | diff --git a/src/html/template/transition.go b/src/html/template/transition.go | ||
145 | index 92eb351..12aa4c4 100644 | ||
146 | --- a/src/html/template/transition.go | ||
147 | +++ b/src/html/template/transition.go | ||
148 | @@ -14,32 +14,34 @@ import ( | ||
149 | // the updated context and the number of bytes consumed from the front of the | ||
150 | // input. | ||
151 | var transitionFunc = [...]func(context, []byte) (context, int){ | ||
152 | - stateText: tText, | ||
153 | - stateTag: tTag, | ||
154 | - stateAttrName: tAttrName, | ||
155 | - stateAfterName: tAfterName, | ||
156 | - stateBeforeValue: tBeforeValue, | ||
157 | - stateHTMLCmt: tHTMLCmt, | ||
158 | - stateRCDATA: tSpecialTagEnd, | ||
159 | - stateAttr: tAttr, | ||
160 | - stateURL: tURL, | ||
161 | - stateSrcset: tURL, | ||
162 | - stateJS: tJS, | ||
163 | - stateJSDqStr: tJSDelimited, | ||
164 | - stateJSSqStr: tJSDelimited, | ||
165 | - stateJSBqStr: tJSDelimited, | ||
166 | - stateJSRegexp: tJSDelimited, | ||
167 | - stateJSBlockCmt: tBlockCmt, | ||
168 | - stateJSLineCmt: tLineCmt, | ||
169 | - stateCSS: tCSS, | ||
170 | - stateCSSDqStr: tCSSStr, | ||
171 | - stateCSSSqStr: tCSSStr, | ||
172 | - stateCSSDqURL: tCSSStr, | ||
173 | - stateCSSSqURL: tCSSStr, | ||
174 | - stateCSSURL: tCSSStr, | ||
175 | - stateCSSBlockCmt: tBlockCmt, | ||
176 | - stateCSSLineCmt: tLineCmt, | ||
177 | - stateError: tError, | ||
178 | + stateText: tText, | ||
179 | + stateTag: tTag, | ||
180 | + stateAttrName: tAttrName, | ||
181 | + stateAfterName: tAfterName, | ||
182 | + stateBeforeValue: tBeforeValue, | ||
183 | + stateHTMLCmt: tHTMLCmt, | ||
184 | + stateRCDATA: tSpecialTagEnd, | ||
185 | + stateAttr: tAttr, | ||
186 | + stateURL: tURL, | ||
187 | + stateSrcset: tURL, | ||
188 | + stateJS: tJS, | ||
189 | + stateJSDqStr: tJSDelimited, | ||
190 | + stateJSSqStr: tJSDelimited, | ||
191 | + stateJSBqStr: tJSDelimited, | ||
192 | + stateJSRegexp: tJSDelimited, | ||
193 | + stateJSBlockCmt: tBlockCmt, | ||
194 | + stateJSLineCmt: tLineCmt, | ||
195 | + stateJSHTMLOpenCmt: tLineCmt, | ||
196 | + stateJSHTMLCloseCmt: tLineCmt, | ||
197 | + stateCSS: tCSS, | ||
198 | + stateCSSDqStr: tCSSStr, | ||
199 | + stateCSSSqStr: tCSSStr, | ||
200 | + stateCSSDqURL: tCSSStr, | ||
201 | + stateCSSSqURL: tCSSStr, | ||
202 | + stateCSSURL: tCSSStr, | ||
203 | + stateCSSBlockCmt: tBlockCmt, | ||
204 | + stateCSSLineCmt: tLineCmt, | ||
205 | + stateError: tError, | ||
206 | } | ||
207 | |||
208 | var commentStart = []byte("<!--") | ||
209 | @@ -263,7 +265,7 @@ func tURL(c context, s []byte) (context, int) { | ||
210 | |||
211 | // tJS is the context transition function for the JS state. | ||
212 | func tJS(c context, s []byte) (context, int) { | ||
213 | - i := bytes.IndexAny(s, "\"`'/") | ||
214 | + i := bytes.IndexAny(s, "\"`'/<-#") | ||
215 | if i == -1 { | ||
216 | // Entire input is non string, comment, regexp tokens. | ||
217 | c.jsCtx = nextJSCtx(s, c.jsCtx) | ||
218 | @@ -293,6 +295,26 @@ func tJS(c context, s []byte) (context, int) { | ||
219 | err: errorf(ErrSlashAmbig, nil, 0, "'/' could start a division or regexp: %.32q", s[i:]), | ||
220 | }, len(s) | ||
221 | } | ||
222 | + // ECMAScript supports HTML style comments for legacy reasons, see Appendix | ||
223 | + // B.1.1 "HTML-like Comments". The handling of these comments is somewhat | ||
224 | + // confusing. Multi-line comments are not supported, i.e. anything on lines | ||
225 | + // between the opening and closing tokens is not considered a comment, but | ||
226 | + // anything following the opening or closing token, on the same line, is | ||
227 | + // ignored. As such we simply treat any line prefixed with "<!--" or "-->" | ||
228 | + // as if it were actually prefixed with "//" and move on. | ||
229 | + case '<': | ||
230 | + if i+3 < len(s) && bytes.Equal(commentStart, s[i:i+4]) { | ||
231 | + c.state, i = stateJSHTMLOpenCmt, i+3 | ||
232 | + } | ||
233 | + case '-': | ||
234 | + if i+2 < len(s) && bytes.Equal(commentEnd, s[i:i+3]) { | ||
235 | + c.state, i = stateJSHTMLCloseCmt, i+2 | ||
236 | + } | ||
237 | + // ECMAScript also supports "hashbang" comment lines, see Section 12.5. | ||
238 | + case '#': | ||
239 | + if i+1 < len(s) && s[i+1] == '!' { | ||
240 | + c.state, i = stateJSLineCmt, i+1 | ||
241 | + } | ||
242 | default: | ||
243 | panic("unreachable") | ||
244 | } | ||
245 | @@ -372,12 +394,12 @@ func tBlockCmt(c context, s []byte) (context, int) { | ||
246 | return c, i + 2 | ||
247 | } | ||
248 | |||
249 | -// tLineCmt is the context transition function for //comment states. | ||
250 | +// tLineCmt is the context transition function for //comment states, and the JS HTML-like comment state. | ||
251 | func tLineCmt(c context, s []byte) (context, int) { | ||
252 | var lineTerminators string | ||
253 | var endState state | ||
254 | switch c.state { | ||
255 | - case stateJSLineCmt: | ||
256 | + case stateJSLineCmt, stateJSHTMLOpenCmt, stateJSHTMLCloseCmt: | ||
257 | lineTerminators, endState = "\n\r\u2028\u2029", stateJS | ||
258 | case stateCSSLineCmt: | ||
259 | lineTerminators, endState = "\n\f\r", stateCSS | ||
260 | -- | ||
261 | 2.24.4 | ||
262 | |||