go: Add fix for CVE-2022-32190

Link: https://github.com/golang/go/commit/28335508913a46e05ef0c04a18e8a1a6beb775ec (From OE-Core rev: 3362bbb1a1ce599418dc8377043f7549f9327315) Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Shubham Kulkarni <skulkarni@mvista.com> 2022-09-29 20:11:11 +0530
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2022-09-30 16:34:52 +0100
commit: aa449287a0d2b8cc83243519cc995571e2b92c09 (patch)
tree: 963bb95f659eba2b476527849594504107ada5ad /meta/recipes-devtools
parent: 95ba88b93546bbea9dd958b3d02c937835c4f9ce (diff)
download: poky-aa449287a0d2b8cc83243519cc995571e2b92c09.tar.gz
5 files changed, 244 insertions, 0 deletions
diff --git a/meta/recipes-devtools/go/go-1.14.inc b/meta/recipes-devtools/go/go-1.14.inc
index 540ea4e62d..2e1d8240f6 100644
--- a/meta/recipes-devtools/go/go-1.14.inc
+++ b/meta/recipes-devtools/go/go-1.14.inc
@@ -37,6 +37,10 @@ SRC_URI += "\
    file://CVE-2021-39293.patch \
    file://CVE-2021-41771.patch \
    file://CVE-2022-27664.patch \
+    file://0001-CVE-2022-32190.patch \
+    file://0002-CVE-2022-32190.patch \
+    file://0003-CVE-2022-32190.patch \
+    file://0004-CVE-2022-32190.patch \
 "
 SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch"
diff --git a/meta/recipes-devtools/go/go-1.14/0001-CVE-2022-32190.patch b/meta/recipes-devtools/go/go-1.14/0001-CVE-2022-32190.patch
new file mode 100644
index 0000000000..ad263b8023
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/0001-CVE-2022-32190.patch
@@ -0,0 +1,74 @@
+From 755f2dc35a19e6806de3ecbf836fa06ad875c67a Mon Sep 17 00:00:00 2001
+From: Carl Johnson <me@carlmjohnson.net>
+Date: Fri, 4 Mar 2022 14:49:52 +0000
+Subject: [PATCH 1/4] net/url: add JoinPath, URL.JoinPath
+Builds on CL 332209.
+Fixes #47005
+Change-Id: I82708dede05d79a196ca63f5a4e7cb5ac9a041ea
+GitHub-Last-Rev: 51b735066eef74f5e67c3e8899c58f44c0383c61
+GitHub-Pull-Request: golang/go#50383
+Reviewed-on: https://go-review.googlesource.com/c/go/+/374654
+Reviewed-by: Russ Cox <rsc@golang.org>
+Auto-Submit: Russ Cox <rsc@golang.org>
+Trust: Ian Lance Taylor <iant@golang.org>
+Reviewed-by: Damien Neil <dneil@google.com>
+Run-TryBot: Ian Lance Taylor <iant@golang.org>
+TryBot-Result: Gopher Robot <gobot@golang.org>
+Upstream-Status: Backport [https://github.com/golang/go/commit/604140d93111f89911e17cb147dcf6a02d2700d0]
+CVE: CVE-2022-32190
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ src/net/url/url.go | 23 +++++++++++++++++++++++
+ 1 file changed, 23 insertions(+)
+diff --git a/src/net/url/url.go b/src/net/url/url.go
+index 2880e82..dea8bfe 100644
+--- a/src/net/url/url.go
+++ b/src/net/url/url.go
+@@ -13,6 +13,7 @@ package url
+ import (
+        "errors"
+        "fmt"
+       "path"
+        "sort"
+        "strconv"
+        "strings"
+@@ -1104,6 +1105,17 @@ func (u *URL) UnmarshalBinary(text []byte) error {
+        return nil
+ }
+// JoinPath returns a new URL with the provided path elements joined to
+// any existing path and the resulting path cleaned of any ./ or ../ elements.
+func (u *URL) JoinPath(elem ...string) *URL {
+       url := *u
+       if len(elem) > 0 {
+               elem = append([]string{u.Path}, elem...)
+               url.setPath(path.Join(elem...))
+       }
+       return &url
+}
+
+ // validUserinfo reports whether s is a valid userinfo string per RFC 3986
+ // Section 3.2.1:
+ //     userinfo    = *( unreserved / pct-encoded / sub-delims / ":" )
+@@ -1144,3 +1156,14 @@ func stringContainsCTLByte(s string) bool {
+        }
+        return false
+ }
+
+// JoinPath returns a URL string with the provided path elements joined to
+// the existing path of base and the resulting path cleaned of any ./ or ../ elements.
+func JoinPath(base string, elem ...string) (result string, err error) {
+       url, err := Parse(base)
+       if err != nil {
+               return
+       }
+       result = url.JoinPath(elem...).String()
+       return
+}
+--
+2.7.4
diff --git a/meta/recipes-devtools/go/go-1.14/0002-CVE-2022-32190.patch b/meta/recipes-devtools/go/go-1.14/0002-CVE-2022-32190.patch
new file mode 100644
index 0000000000..1a11cc72bc
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/0002-CVE-2022-32190.patch
@@ -0,0 +1,48 @@
+From 985108de87e7d2ecb2b28cb53b323d530387b884 Mon Sep 17 00:00:00 2001
+From: Ian Lance Taylor <iant@golang.org>
+Date: Thu, 31 Mar 2022 13:21:39 -0700
+Subject: [PATCH 2/4] net/url: preserve a trailing slash in JoinPath
+Fixes #52074
+Change-Id: I30897f32e70a6ca0c4e11aaf07088c27336efaba
+Reviewed-on: https://go-review.googlesource.com/c/go/+/397256
+Trust: Ian Lance Taylor <iant@golang.org>
+Run-TryBot: Ian Lance Taylor <iant@golang.org>
+TryBot-Result: Gopher Robot <gobot@golang.org>
+Reviewed-by: Matt Layher <mdlayher@gmail.com>
+Trust: Matt Layher <mdlayher@gmail.com>
+Upstream-Status: Backport [https://github.com/golang/go/commit/dbb52cc9f3e83a3040f46c2ae7650c15ab342179]
+CVE: CVE-2022-32190
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ src/net/url/url.go | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+diff --git a/src/net/url/url.go b/src/net/url/url.go
+index dea8bfe..3436707 100644
+--- a/src/net/url/url.go
+++ b/src/net/url/url.go
+@@ -1107,11 +1107,18 @@ func (u *URL) UnmarshalBinary(text []byte) error {
+ // JoinPath returns a new URL with the provided path elements joined to
+ // any existing path and the resulting path cleaned of any ./ or ../ elements.
+// Any sequences of multiple / characters will be reduced to a single /.
+ func (u *URL) JoinPath(elem ...string) *URL {
+        url := *u
+        if len(elem) > 0 {
+                elem = append([]string{u.Path}, elem...)
+-               url.setPath(path.Join(elem...))
+               p := path.Join(elem...)
+               // path.Join will remove any trailing slashes.
+               // Preserve at least one.
+               if strings.HasSuffix(elem[len(elem)-1], "/") && !strings.HasSuffix(p, "/") {
+                       p += "/"
+               }
+               url.setPath(p)
+        }
+        return &url
+ }
+--
+2.7.4
diff --git a/meta/recipes-devtools/go/go-1.14/0003-CVE-2022-32190.patch b/meta/recipes-devtools/go/go-1.14/0003-CVE-2022-32190.patch
new file mode 100644
index 0000000000..816d914983
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/0003-CVE-2022-32190.patch
@@ -0,0 +1,36 @@
+From 2c632b883b0f11084cc247c8b50ad6c71fa7b447 Mon Sep 17 00:00:00 2001
+From: Sean Liao <sean@liao.dev>
+Date: Sat, 9 Jul 2022 18:38:45 +0100
+Subject: [PATCH 3/4] net/url: use EscapedPath for url.JoinPath
+Fixes #53763
+Change-Id: I08b53f159ebdce7907e8cc17316fd0c982363239
+Reviewed-on: https://go-review.googlesource.com/c/go/+/416774
+TryBot-Result: Gopher Robot <gobot@golang.org>
+Reviewed-by: Damien Neil <dneil@google.com>
+Reviewed-by: Bryan Mills <bcmills@google.com>
+Run-TryBot: Ian Lance Taylor <iant@golang.org>
+Upstream-Status: Backport [https://github.com/golang/go/commit/bf5898ef53d1693aa572da0da746c05e9a6f15c5]
+CVE: CVE-2022-32190
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ src/net/url/url.go | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/src/net/url/url.go b/src/net/url/url.go
+index 3436707..73079a5 100644
+--- a/src/net/url/url.go
+++ b/src/net/url/url.go
+@@ -1111,7 +1111,7 @@ func (u *URL) UnmarshalBinary(text []byte) error {
+ func (u *URL) JoinPath(elem ...string) *URL {
+        url := *u
+        if len(elem) > 0 {
+-               elem = append([]string{u.Path}, elem...)
+               elem = append([]string{u.EscapedPath()}, elem...)
+                p := path.Join(elem...)
+                // path.Join will remove any trailing slashes.
+                // Preserve at least one.
+--
+2.7.4
diff --git a/meta/recipes-devtools/go/go-1.14/0004-CVE-2022-32190.patch b/meta/recipes-devtools/go/go-1.14/0004-CVE-2022-32190.patch
new file mode 100644
index 0000000000..4bdff3aed4
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/0004-CVE-2022-32190.patch
@@ -0,0 +1,82 @@
+From f61e428699cbb52bab31fe2c124f49d085a209fe Mon Sep 17 00:00:00 2001
+From: Damien Neil <dneil@google.com>
+Date: Fri, 12 Aug 2022 16:21:09 -0700
+Subject: [PATCH 4/4] net/url: consistently remove ../ elements in JoinPath
+JoinPath would fail to remove relative elements from the start of
+the path when the first path element is "".
+In addition, JoinPath would return the original path unmodified
+when provided with no elements to join, violating the documented
+behavior of always cleaning the resulting path.
+Correct both these cases.
+    JoinPath("http://go.dev", "../go")
+    // before: http://go.dev/../go
+    // after:  http://go.dev/go
+    JoinPath("http://go.dev/../go")
+    // before: http://go.dev/../go
+    // after:  http://go.dev/go
+For #54385.
+Fixes #54635.
+Fixes CVE-2022-32190.
+Change-Id: I6d22cd160d097c50703dd96e4f453c6c118fd5d9
+Reviewed-on: https://go-review.googlesource.com/c/go/+/423514
+Reviewed-by: David Chase <drchase@google.com>
+Reviewed-by: Alan Donovan <adonovan@google.com>
+(cherry picked from commit 0765da5884adcc8b744979303a36a27092d8fc51)
+Reviewed-on: https://go-review.googlesource.com/c/go/+/425357
+Run-TryBot: Damien Neil <dneil@google.com>
+TryBot-Result: Gopher Robot <gobot@golang.org>
+Upstream-Status: Backport [https://github.com/golang/go/commit/28335508913a46e05ef0c04a18e8a1a6beb775ec]
+CVE: CVE-2022-32190
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
+---
+ src/net/url/url.go | 26 ++++++++++++++++----------
+ 1 file changed, 16 insertions(+), 10 deletions(-)
+diff --git a/src/net/url/url.go b/src/net/url/url.go
+index 73079a5..1e8baf9 100644
+--- a/src/net/url/url.go
+++ b/src/net/url/url.go
+@@ -1109,17 +1109,23 @@ func (u *URL) UnmarshalBinary(text []byte) error {
+ // any existing path and the resulting path cleaned of any ./ or ../ elements.
+ // Any sequences of multiple / characters will be reduced to a single /.
+ func (u *URL) JoinPath(elem ...string) *URL {
+-       url := *u
+-       if len(elem) > 0 {
+-               elem = append([]string{u.EscapedPath()}, elem...)
+-               p := path.Join(elem...)
+-               // path.Join will remove any trailing slashes.
+-               // Preserve at least one.
+-               if strings.HasSuffix(elem[len(elem)-1], "/") && !strings.HasSuffix(p, "/") {
+-                       p += "/"
+-               }
+-               url.setPath(p)
+       elem = append([]string{u.EscapedPath()}, elem...)
+       var p string
+       if !strings.HasPrefix(elem[0], "/") {
+               // Return a relative path if u is relative,
+               // but ensure that it contains no ../ elements.
+               elem[0] = "/" + elem[0]
+               p = path.Join(elem...)[1:]
+       } else {
+               p = path.Join(elem...)
+        }
+       // path.Join will remove any trailing slashes.
+       // Preserve at least one.
+       if strings.HasSuffix(elem[len(elem)-1], "/") && !strings.HasSuffix(p, "/") {
+               p += "/"
+       }
+       url := *u
+       url.setPath(p)
+        return &url
+ }
+--
+2.7.4
author	Shubham Kulkarni <skulkarni@mvista.com>	2022-09-29 20:11:11 +0530
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2022-09-30 16:34:52 +0100
commit	aa449287a0d2b8cc83243519cc995571e2b92c09 (patch)
tree	963bb95f659eba2b476527849594504107ada5ad /meta/recipes-devtools
parent	95ba88b93546bbea9dd958b3d02c937835c4f9ce (diff)
download	poky-aa449287a0d2b8cc83243519cc995571e2b92c09.tar.gz

diff --git a/meta/recipes-devtools/go/go-1.14.inc b/meta/recipes-devtools/go/go-1.14.inc index 540ea4e62d..2e1d8240f6 100644 --- a/meta/recipes-devtools/go/go-1.14.inc +++ b/meta/recipes-devtools/go/go-1.14.inc
@@ -37,6 +37,10 @@ SRC_URI += "\
37	file://CVE-2021-39293.patch \	37	file://CVE-2021-39293.patch \
38	file://CVE-2021-41771.patch \	38	file://CVE-2021-41771.patch \
39	file://CVE-2022-27664.patch \	39	file://CVE-2022-27664.patch \
		40	file://0001-CVE-2022-32190.patch \
		41	file://0002-CVE-2022-32190.patch \
		42	file://0003-CVE-2022-32190.patch \
		43	file://0004-CVE-2022-32190.patch \
40	"	44	"
41		45
42	SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch"	46	SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch"


diff --git a/meta/recipes-devtools/go/go-1.14/0001-CVE-2022-32190.patch b/meta/recipes-devtools/go/go-1.14/0001-CVE-2022-32190.patch new file mode 100644 index 0000000000..ad263b8023 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/0001-CVE-2022-32190.patch
@@ -0,0 +1,74 @@
		1	From 755f2dc35a19e6806de3ecbf836fa06ad875c67a Mon Sep 17 00:00:00 2001
		2	From: Carl Johnson <me@carlmjohnson.net>
		3	Date: Fri, 4 Mar 2022 14:49:52 +0000
		4	Subject: [PATCH 1/4] net/url: add JoinPath, URL.JoinPath
		5
		6	Builds on CL 332209.
		7
		8	Fixes #47005
		9
		10	Change-Id: I82708dede05d79a196ca63f5a4e7cb5ac9a041ea
		11	GitHub-Last-Rev: 51b735066eef74f5e67c3e8899c58f44c0383c61
		12	GitHub-Pull-Request: golang/go#50383
		13	Reviewed-on: https://go-review.googlesource.com/c/go/+/374654
		14	Reviewed-by: Russ Cox <rsc@golang.org>
		15	Auto-Submit: Russ Cox <rsc@golang.org>
		16	Trust: Ian Lance Taylor <iant@golang.org>
		17	Reviewed-by: Damien Neil <dneil@google.com>
		18	Run-TryBot: Ian Lance Taylor <iant@golang.org>
		19	TryBot-Result: Gopher Robot <gobot@golang.org>
		20
		21	Upstream-Status: Backport [https://github.com/golang/go/commit/604140d93111f89911e17cb147dcf6a02d2700d0]
		22	CVE: CVE-2022-32190
		23	Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
		24	---
		25	src/net/url/url.go \| 23 +++++++++++++++++++++++
		26	1 file changed, 23 insertions(+)
		27
		28	diff --git a/src/net/url/url.go b/src/net/url/url.go
		29	index 2880e82..dea8bfe 100644
		30	--- a/src/net/url/url.go
		31	+++ b/src/net/url/url.go
		32	@@ -13,6 +13,7 @@ package url
		33	import (
		34	"errors"
		35	"fmt"
		36	+ "path"
		37	"sort"
		38	"strconv"
		39	"strings"
		40	@@ -1104,6 +1105,17 @@ func (u *URL) UnmarshalBinary(text []byte) error {
		41	return nil
		42	}
		43
		44	+// JoinPath returns a new URL with the provided path elements joined to
		45	+// any existing path and the resulting path cleaned of any ./ or ../ elements.
		46	+func (u URL) JoinPath(elem ...string) URL {
		47	+ url := *u
		48	+ if len(elem) > 0 {
		49	+ elem = append([]string{u.Path}, elem...)
		50	+ url.setPath(path.Join(elem...))
		51	+ }
		52	+ return &url
		53	+}
		54	+
		55	// validUserinfo reports whether s is a valid userinfo string per RFC 3986
		56	// Section 3.2.1:
		57	// userinfo = *( unreserved / pct-encoded / sub-delims / ":" )
		58	@@ -1144,3 +1156,14 @@ func stringContainsCTLByte(s string) bool {
		59	}
		60	return false
		61	}
		62	+
		63	+// JoinPath returns a URL string with the provided path elements joined to
		64	+// the existing path of base and the resulting path cleaned of any ./ or ../ elements.
		65	+func JoinPath(base string, elem ...string) (result string, err error) {
		66	+ url, err := Parse(base)
		67	+ if err != nil {
		68	+ return
		69	+ }
		70	+ result = url.JoinPath(elem...).String()
		71	+ return
		72	+}
		73	--
		74	2.7.4


diff --git a/meta/recipes-devtools/go/go-1.14/0002-CVE-2022-32190.patch b/meta/recipes-devtools/go/go-1.14/0002-CVE-2022-32190.patch new file mode 100644 index 0000000000..1a11cc72bc --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/0002-CVE-2022-32190.patch
@@ -0,0 +1,48 @@
		1	From 985108de87e7d2ecb2b28cb53b323d530387b884 Mon Sep 17 00:00:00 2001
		2	From: Ian Lance Taylor <iant@golang.org>
		3	Date: Thu, 31 Mar 2022 13:21:39 -0700
		4	Subject: [PATCH 2/4] net/url: preserve a trailing slash in JoinPath
		5
		6	Fixes #52074
		7
		8	Change-Id: I30897f32e70a6ca0c4e11aaf07088c27336efaba
		9	Reviewed-on: https://go-review.googlesource.com/c/go/+/397256
		10	Trust: Ian Lance Taylor <iant@golang.org>
		11	Run-TryBot: Ian Lance Taylor <iant@golang.org>
		12	TryBot-Result: Gopher Robot <gobot@golang.org>
		13	Reviewed-by: Matt Layher <mdlayher@gmail.com>
		14	Trust: Matt Layher <mdlayher@gmail.com>
		15
		16	Upstream-Status: Backport [https://github.com/golang/go/commit/dbb52cc9f3e83a3040f46c2ae7650c15ab342179]
		17	CVE: CVE-2022-32190
		18	Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
		19	---
		20	src/net/url/url.go \| 9 ++++++++-
		21	1 file changed, 8 insertions(+), 1 deletion(-)
		22
		23	diff --git a/src/net/url/url.go b/src/net/url/url.go
		24	index dea8bfe..3436707 100644
		25	--- a/src/net/url/url.go
		26	+++ b/src/net/url/url.go
		27	@@ -1107,11 +1107,18 @@ func (u *URL) UnmarshalBinary(text []byte) error {
		28
		29	// JoinPath returns a new URL with the provided path elements joined to
		30	// any existing path and the resulting path cleaned of any ./ or ../ elements.
		31	+// Any sequences of multiple / characters will be reduced to a single /.
		32	func (u URL) JoinPath(elem ...string) URL {
		33	url := *u
		34	if len(elem) > 0 {
		35	elem = append([]string{u.Path}, elem...)
		36	- url.setPath(path.Join(elem...))
		37	+ p := path.Join(elem...)
		38	+ // path.Join will remove any trailing slashes.
		39	+ // Preserve at least one.
		40	+ if strings.HasSuffix(elem[len(elem)-1], "/") && !strings.HasSuffix(p, "/") {
		41	+ p += "/"
		42	+ }
		43	+ url.setPath(p)
		44	}
		45	return &url
		46	}
		47	--
		48	2.7.4


diff --git a/meta/recipes-devtools/go/go-1.14/0003-CVE-2022-32190.patch b/meta/recipes-devtools/go/go-1.14/0003-CVE-2022-32190.patch new file mode 100644 index 0000000000..816d914983 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/0003-CVE-2022-32190.patch
@@ -0,0 +1,36 @@
		1	From 2c632b883b0f11084cc247c8b50ad6c71fa7b447 Mon Sep 17 00:00:00 2001
		2	From: Sean Liao <sean@liao.dev>
		3	Date: Sat, 9 Jul 2022 18:38:45 +0100
		4	Subject: [PATCH 3/4] net/url: use EscapedPath for url.JoinPath
		5
		6	Fixes #53763
		7
		8	Change-Id: I08b53f159ebdce7907e8cc17316fd0c982363239
		9	Reviewed-on: https://go-review.googlesource.com/c/go/+/416774
		10	TryBot-Result: Gopher Robot <gobot@golang.org>
		11	Reviewed-by: Damien Neil <dneil@google.com>
		12	Reviewed-by: Bryan Mills <bcmills@google.com>
		13	Run-TryBot: Ian Lance Taylor <iant@golang.org>
		14
		15	Upstream-Status: Backport [https://github.com/golang/go/commit/bf5898ef53d1693aa572da0da746c05e9a6f15c5]
		16	CVE: CVE-2022-32190
		17	Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
		18	---
		19	src/net/url/url.go \| 2 +-
		20	1 file changed, 1 insertion(+), 1 deletion(-)
		21
		22	diff --git a/src/net/url/url.go b/src/net/url/url.go
		23	index 3436707..73079a5 100644
		24	--- a/src/net/url/url.go
		25	+++ b/src/net/url/url.go
		26	@@ -1111,7 +1111,7 @@ func (u *URL) UnmarshalBinary(text []byte) error {
		27	func (u URL) JoinPath(elem ...string) URL {
		28	url := *u
		29	if len(elem) > 0 {
		30	- elem = append([]string{u.Path}, elem...)
		31	+ elem = append([]string{u.EscapedPath()}, elem...)
		32	p := path.Join(elem...)
		33	// path.Join will remove any trailing slashes.
		34	// Preserve at least one.
		35	--
		36	2.7.4


diff --git a/meta/recipes-devtools/go/go-1.14/0004-CVE-2022-32190.patch b/meta/recipes-devtools/go/go-1.14/0004-CVE-2022-32190.patch new file mode 100644 index 0000000000..4bdff3aed4 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/0004-CVE-2022-32190.patch
@@ -0,0 +1,82 @@
		1	From f61e428699cbb52bab31fe2c124f49d085a209fe Mon Sep 17 00:00:00 2001
		2	From: Damien Neil <dneil@google.com>
		3	Date: Fri, 12 Aug 2022 16:21:09 -0700
		4	Subject: [PATCH 4/4] net/url: consistently remove ../ elements in JoinPath
		5
		6	JoinPath would fail to remove relative elements from the start of
		7	the path when the first path element is "".
		8
		9	In addition, JoinPath would return the original path unmodified
		10	when provided with no elements to join, violating the documented
		11	behavior of always cleaning the resulting path.
		12
		13	Correct both these cases.
		14
		15	JoinPath("http://go.dev", "../go")
		16	// before: http://go.dev/../go
		17	// after: http://go.dev/go
		18
		19	JoinPath("http://go.dev/../go")
		20	// before: http://go.dev/../go
		21	// after: http://go.dev/go
		22
		23	For #54385.
		24	Fixes #54635.
		25	Fixes CVE-2022-32190.
		26
		27	Change-Id: I6d22cd160d097c50703dd96e4f453c6c118fd5d9
		28	Reviewed-on: https://go-review.googlesource.com/c/go/+/423514
		29	Reviewed-by: David Chase <drchase@google.com>
		30	Reviewed-by: Alan Donovan <adonovan@google.com>
		31	(cherry picked from commit 0765da5884adcc8b744979303a36a27092d8fc51)
		32	Reviewed-on: https://go-review.googlesource.com/c/go/+/425357
		33	Run-TryBot: Damien Neil <dneil@google.com>
		34	TryBot-Result: Gopher Robot <gobot@golang.org>
		35
		36	Upstream-Status: Backport [https://github.com/golang/go/commit/28335508913a46e05ef0c04a18e8a1a6beb775ec]
		37	CVE: CVE-2022-32190
		38	Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
		39	---
		40	src/net/url/url.go \| 26 ++++++++++++++++----------
		41	1 file changed, 16 insertions(+), 10 deletions(-)
		42
		43	diff --git a/src/net/url/url.go b/src/net/url/url.go
		44	index 73079a5..1e8baf9 100644
		45	--- a/src/net/url/url.go
		46	+++ b/src/net/url/url.go
		47	@@ -1109,17 +1109,23 @@ func (u *URL) UnmarshalBinary(text []byte) error {
		48	// any existing path and the resulting path cleaned of any ./ or ../ elements.
		49	// Any sequences of multiple / characters will be reduced to a single /.
		50	func (u URL) JoinPath(elem ...string) URL {
		51	- url := *u
		52	- if len(elem) > 0 {
		53	- elem = append([]string{u.EscapedPath()}, elem...)
		54	- p := path.Join(elem...)
		55	- // path.Join will remove any trailing slashes.
		56	- // Preserve at least one.
		57	- if strings.HasSuffix(elem[len(elem)-1], "/") && !strings.HasSuffix(p, "/") {
		58	- p += "/"
		59	- }
		60	- url.setPath(p)
		61	+ elem = append([]string{u.EscapedPath()}, elem...)
		62	+ var p string
		63	+ if !strings.HasPrefix(elem[0], "/") {
		64	+ // Return a relative path if u is relative,
		65	+ // but ensure that it contains no ../ elements.
		66	+ elem[0] = "/" + elem[0]
		67	+ p = path.Join(elem...)[1:]
		68	+ } else {
		69	+ p = path.Join(elem...)
		70	}
		71	+ // path.Join will remove any trailing slashes.
		72	+ // Preserve at least one.
		73	+ if strings.HasSuffix(elem[len(elem)-1], "/") && !strings.HasSuffix(p, "/") {
		74	+ p += "/"
		75	+ }
		76	+ url := *u
		77	+ url.setPath(p)
		78	return &url
		79	}
		80
		81	--
		82	2.7.4