Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

os/exec: Cmd.{Run,Start} should fail if Cmd.Path is unset #52574

Closed
rolandshoemaker opened this issue Apr 26, 2022 · 5 comments
Closed

os/exec: Cmd.{Run,Start} should fail if Cmd.Path is unset #52574

rolandshoemaker opened this issue Apr 26, 2022 · 5 comments
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done. OS-Windows Security
Milestone

Comments

@rolandshoemaker
Copy link
Member

If Cmd.Path is unset, Cmd.Run and Cmd.Start should throw an error.

@rolandshoemaker rolandshoemaker added OS-Windows NeedsFix The path to resolution is known, but the work has not been done. labels Apr 26, 2022
@ianlancetaylor ianlancetaylor added this to the Go1.19 milestone Apr 26, 2022
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/403759 mentions this issue: os/exec: return clear error for missing cmd.Path

@rolandshoemaker
Copy link
Member Author

@gopherbot please open backport issues, this is a minor security issue.

@gopherbot
Copy link
Contributor

Backport issue(s) opened: #53056 (for 1.17), #53057 (for 1.18).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/408577 mentions this issue: [release-branch.go1.18] os/exec: return clear error for missing cmd.Path

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/408578 mentions this issue: [release-branch.go1.17] os/exec: return clear error for missing cmd.Path

gopherbot pushed a commit that referenced this issue May 27, 2022
Following up on CL 403694, there is a bit of confusion about
when Path is and isn't set, along with now the exported Err field.
Catch the case where Path and Err (and lookPathErr) are all unset
and give a helpful error.

Updates #52574
Followup after #43724.

Fixes #53057
Fixes CVE-2022-30580

Change-Id: I03205172aef3801c3194f5098bdb93290c02b1b6
Reviewed-on: https://go-review.googlesource.com/c/go/+/403759
Reviewed-by: Bryan Mills <bcmills@google.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
(cherry picked from commit 960ffa9)
Reviewed-on: https://go-review.googlesource.com/c/go/+/408577
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Roland Shoemaker <roland@golang.org>
gopherbot pushed a commit that referenced this issue May 27, 2022
Following up on CL 403694, there is a bit of confusion about
when Path is and isn't set, along with now the exported Err field.
Catch the case where Path and Err (and lookPathErr) are all unset
and give a helpful error.

Updates #52574
Followup after #43724.

Fixes #53056
Fixes CVE-2022-30580

Change-Id: I03205172aef3801c3194f5098bdb93290c02b1b6
Reviewed-on: https://go-review.googlesource.com/c/go/+/403759
Reviewed-by: Bryan Mills <bcmills@google.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
(cherry picked from commit 960ffa9)
Reviewed-on: https://go-review.googlesource.com/c/go/+/408578
Run-TryBot: Roland Shoemaker <roland@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
@golang golang locked and limited conversation to collaborators May 25, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done. OS-Windows Security
Projects
None yet
Development

No branches or pull requests

4 participants