packages/golang
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
golang/0042-Backport-html-template-disallow-angle-brackets-in-CS.patch
hanchao 4ba5829313 bugfix: fix CVE-2023-29400,CVE-2023-24539,CVE-2023-24540 
CVE:CVE-2023-29400,CVE-2023-24539,CVE-2023-24540
Reference:https://go-review.googlesource.com/c/go/+/491615,https://go-review.googlesource.com/c/go/+/491616,https://go-review.googlesource.com/c/go/+/491617
Type:CVE
Reason:fix CVE-2023-29400,CVE-2023-24539,CVE-2023-24540
2023-06-19 23:45:32 +08:00

70 lines
2.5 KiB
Diff
Raw Blame History

From be128e70a9a7f52f9ff33fceb2139b5769da0112 Mon Sep 17 00:00:00 2001
From: Roland Shoemaker <bracewell@google.com>
Date: Wed, 10 May 2023 16:43:52 +0800
Subject: [PATCH 3/3] [Backport] html/template: disallow angle brackets in CSS
values
Offering: Cloud Core Network
CVE: CVE-2023-24539
Reference: https://go-review.googlesource.com/c/go/+/491335
Angle brackets should not appear in CSS contexts, as they may affect
token boundaries (such as closing a <style> tag, resulting in
injection). Instead emit filterFailsafe, matching the behavior for other
dangerous characters.
Thanks to Juho Nurminen of Mattermost for reporting this issue.
For #59720
Fixes #59811
Fixes CVE-2023-24539
Change-Id: Iccc659c9a18415992b0c05c178792228e3a7bae4
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1826636
Reviewed-by: Julie Qiu <julieqiu@google.com>
Run-TryBot: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1851496
Run-TryBot: Damien Neil <dneil@google.com>
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/491335
Run-TryBot: Carlos Amedee <carlos@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Signed-off-by: Li Bi Chen libichen@huawei.com
---
src/html/template/css.go | 2 +-
src/html/template/css_test.go | 2 ++
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/html/template/css.go b/src/html/template/css.go
index eb92fc92b5..8823acb9f0 100644
--- a/src/html/template/css.go
+++ b/src/html/template/css.go
@@ -238,7 +238,7 @@ func cssValueFilter(args ...interface{}) string {
// inside a string that might embed JavaScript source.
for i, c := range b {
switch c {
- case 0, '"', '\'', '(', ')', '/', ';', '@', '[', '\\', ']', '`', '{', '}':
+ case 0, '"', '\'', '(', ')', '/', ';', '@', '[', '\\', ']', '`', '{', '}', '<', '>':
return filterFailsafe
case '-':
// Disallow <!-- or -->.
diff --git a/src/html/template/css_test.go b/src/html/template/css_test.go
index a735638b03..2b76256a76 100644
--- a/src/html/template/css_test.go
+++ b/src/html/template/css_test.go
@@ -231,6 +231,8 @@ func TestCSSValueFilter(t *testing.T) {
{`-exp\000052 ession(alert(1337))`, "ZgotmplZ"},
{`-expre\0000073sion`, "-expre\x073sion"},
{`@import url evil.css`, "ZgotmplZ"},
+ {"<", "ZgotmplZ"},
+ {">", "ZgotmplZ"},
}
for _, test := range tests {
got := cssValueFilter(test.css)
--
2.33.0
Reference in New Issue View Git Blame Copy Permalink