diff options
Diffstat (limited to 'meta/recipes-devtools/go/go-1.14/CVE-2023-45289.patch')
-rw-r--r-- | meta/recipes-devtools/go/go-1.14/CVE-2023-45289.patch | 121 |
1 files changed, 121 insertions, 0 deletions
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-45289.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-45289.patch new file mode 100644 index 0000000000..13d3510504 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-45289.patch | |||
@@ -0,0 +1,121 @@ | |||
1 | From 20586c0dbe03d144f914155f879fa5ee287591a1 Mon Sep 17 00:00:00 2001 | ||
2 | From: Damien Neil <dneil@google.com> | ||
3 | Date: Thu, 11 Jan 2024 11:31:57 -0800 | ||
4 | Subject: [PATCH] [release-branch.go1.21] net/http, net/http/cookiejar: avoid | ||
5 | subdomain matches on IPv6 zones | ||
6 | |||
7 | When deciding whether to forward cookies or sensitive headers | ||
8 | across a redirect, do not attempt to interpret an IPv6 address | ||
9 | as a domain name. | ||
10 | |||
11 | Avoids a case where a maliciously-crafted redirect to an | ||
12 | IPv6 address with a scoped addressing zone could be | ||
13 | misinterpreted as a within-domain redirect. For example, | ||
14 | we could interpret "::1%.www.example.com" as a subdomain | ||
15 | of "www.example.com". | ||
16 | |||
17 | Thanks to Juho Nurminen of Mattermost for reporting this issue. | ||
18 | |||
19 | Fixes CVE-2023-45289 | ||
20 | Fixes #65385 | ||
21 | For #65065 | ||
22 | |||
23 | Change-Id: I8f463f59f0e700c8a18733d2b264a8bcb3a19599 | ||
24 | Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2131938 | ||
25 | Reviewed-by: Tatiana Bradley <tatianabradley@google.com> | ||
26 | Reviewed-by: Roland Shoemaker <bracewell@google.com> | ||
27 | Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2173775 | ||
28 | Reviewed-by: Carlos Amedee <amedee@google.com> | ||
29 | Reviewed-on: https://go-review.googlesource.com/c/go/+/569239 | ||
30 | Reviewed-by: Carlos Amedee <carlos@golang.org> | ||
31 | Auto-Submit: Michael Knyszek <mknyszek@google.com> | ||
32 | TryBot-Bypass: Michael Knyszek <mknyszek@google.com> | ||
33 | |||
34 | Upstream-Status: Backport [https://github.com/golang/go/commit/20586c0dbe03d144f914155f879fa5ee287591a1] | ||
35 | CVE: CVE-2023-45289 | ||
36 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
37 | --- | ||
38 | src/net/http/client.go | 6 ++++++ | ||
39 | src/net/http/client_test.go | 1 + | ||
40 | src/net/http/cookiejar/jar.go | 7 +++++++ | ||
41 | src/net/http/cookiejar/jar_test.go | 10 ++++++++++ | ||
42 | 4 files changed, 24 insertions(+) | ||
43 | |||
44 | diff --git a/src/net/http/client.go b/src/net/http/client.go | ||
45 | index a496f1c..2031834 100644 | ||
46 | --- a/src/net/http/client.go | ||
47 | +++ b/src/net/http/client.go | ||
48 | @@ -973,6 +973,12 @@ func isDomainOrSubdomain(sub, parent string) bool { | ||
49 | if sub == parent { | ||
50 | return true | ||
51 | } | ||
52 | + // If sub contains a :, it's probably an IPv6 address (and is definitely not a hostname). | ||
53 | + // Don't check the suffix in this case, to avoid matching the contents of a IPv6 zone. | ||
54 | + // For example, "::1%.www.example.com" is not a subdomain of "www.example.com". | ||
55 | + if strings.ContainsAny(sub, ":%") { | ||
56 | + return false | ||
57 | + } | ||
58 | // If sub is "foo.example.com" and parent is "example.com", | ||
59 | // that means sub must end in "."+parent. | ||
60 | // Do it without allocating. | ||
61 | diff --git a/src/net/http/client_test.go b/src/net/http/client_test.go | ||
62 | index 2b4f53f..442fe35 100644 | ||
63 | --- a/src/net/http/client_test.go | ||
64 | +++ b/src/net/http/client_test.go | ||
65 | @@ -1703,6 +1703,7 @@ func TestShouldCopyHeaderOnRedirect(t *testing.T) { | ||
66 | {"cookie2", "http://foo.com/", "http://bar.com/", false}, | ||
67 | {"authorization", "http://foo.com/", "http://bar.com/", false}, | ||
68 | {"www-authenticate", "http://foo.com/", "http://bar.com/", false}, | ||
69 | + {"authorization", "http://foo.com/", "http://[::1%25.foo.com]/", false}, | ||
70 | |||
71 | // But subdomains should work: | ||
72 | {"www-authenticate", "http://foo.com/", "http://foo.com/", true}, | ||
73 | diff --git a/src/net/http/cookiejar/jar.go b/src/net/http/cookiejar/jar.go | ||
74 | index 9f19917..18cbfc2 100644 | ||
75 | --- a/src/net/http/cookiejar/jar.go | ||
76 | +++ b/src/net/http/cookiejar/jar.go | ||
77 | @@ -356,6 +356,13 @@ func jarKey(host string, psl PublicSuffixList) string { | ||
78 | |||
79 | // isIP reports whether host is an IP address. | ||
80 | func isIP(host string) bool { | ||
81 | + if strings.ContainsAny(host, ":%") { | ||
82 | + // Probable IPv6 address. | ||
83 | + // Hostnames can't contain : or %, so this is definitely not a valid host. | ||
84 | + // Treating it as an IP is the more conservative option, and avoids the risk | ||
85 | + // of interpeting ::1%.www.example.com as a subtomain of www.example.com. | ||
86 | + return true | ||
87 | + } | ||
88 | return net.ParseIP(host) != nil | ||
89 | } | ||
90 | |||
91 | diff --git a/src/net/http/cookiejar/jar_test.go b/src/net/http/cookiejar/jar_test.go | ||
92 | index 47fb1ab..fd8d40e 100644 | ||
93 | --- a/src/net/http/cookiejar/jar_test.go | ||
94 | +++ b/src/net/http/cookiejar/jar_test.go | ||
95 | @@ -251,6 +251,7 @@ var isIPTests = map[string]bool{ | ||
96 | "127.0.0.1": true, | ||
97 | "1.2.3.4": true, | ||
98 | "2001:4860:0:2001::68": true, | ||
99 | + "::1%zone": true, | ||
100 | "example.com": false, | ||
101 | "1.1.1.300": false, | ||
102 | "www.foo.bar.net": false, | ||
103 | @@ -613,6 +614,15 @@ var basicsTests = [...]jarTest{ | ||
104 | {"http://www.host.test:1234/", "a=1"}, | ||
105 | }, | ||
106 | }, | ||
107 | + { | ||
108 | + "IPv6 zone is not treated as a host.", | ||
109 | + "https://example.com/", | ||
110 | + []string{"a=1"}, | ||
111 | + "a=1", | ||
112 | + []query{ | ||
113 | + {"https://[::1%25.example.com]:80/", ""}, | ||
114 | + }, | ||
115 | + }, | ||
116 | } | ||
117 | |||
118 | func TestBasics(t *testing.T) { | ||
119 | -- | ||
120 | 2.25.1 | ||
121 | |||