-
Notifications
You must be signed in to change notification settings - Fork 17.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
html/template: improper handling of JavaScript whitespace #59721
Comments
@gopherbot please open backport issues for this security fix |
Backport issue(s) opened: #59813 (for 1.19), #59814 (for 1.20). Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases. |
Change https://go.dev/cl/491355 mentions this issue: |
Change https://go.dev/cl/491356 mentions this issue: |
…cters Rather than just a small set. Character class as defined by \s [0]. Thanks to Juho Nurminen of Mattermost for reporting this. For #59721 Fixes #59813 Fixes CVE-2023-24540 [0] https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions/Character_Classes Change-Id: I56d4fa1ef08125b417106ee7dbfb5b0923b901ba Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1821459 Reviewed-by: Julie Qiu <julieqiu@google.com> Run-TryBot: Roland Shoemaker <bracewell@google.com> Reviewed-by: Damien Neil <dneil@google.com> Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1851497 Run-TryBot: Damien Neil <dneil@google.com> Reviewed-by: Roland Shoemaker <bracewell@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/491355 Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Reviewed-by: Carlos Amedee <carlos@golang.org> TryBot-Bypass: Carlos Amedee <carlos@golang.org> Run-TryBot: Carlos Amedee <carlos@golang.org>
…cters Rather than just a small set. Character class as defined by \s [0]. Thanks to Juho Nurminen of Mattermost for reporting this. For #59721 Fixes #59814 Fixes CVE-2023-24540 [0] https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions/Character_Classes Change-Id: I56d4fa1ef08125b417106ee7dbfb5b0923b901ba Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1821459 Reviewed-by: Julie Qiu <julieqiu@google.com> Run-TryBot: Roland Shoemaker <bracewell@google.com> Reviewed-by: Damien Neil <dneil@google.com> Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1851493 TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com> Run-TryBot: Damien Neil <dneil@google.com> Reviewed-by: Roland Shoemaker <bracewell@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/491356 Run-TryBot: Carlos Amedee <carlos@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> TryBot-Result: Gopher Robot <gobot@golang.org>
Change https://go.dev/cl/491616 mentions this issue: |
…cters Rather than just a small set. Character class as defined by \s [0]. Thanks to Juho Nurminen of Mattermost for reporting this. For golang#59721 Fixes golang#59814 Fixes CVE-2023-24540 [0] https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions/Character_Classes Change-Id: I56d4fa1ef08125b417106ee7dbfb5b0923b901ba Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1821459 Reviewed-by: Julie Qiu <julieqiu@google.com> Run-TryBot: Roland Shoemaker <bracewell@google.com> Reviewed-by: Damien Neil <dneil@google.com> Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1851493 TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com> Run-TryBot: Damien Neil <dneil@google.com> Reviewed-by: Roland Shoemaker <bracewell@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/491356 Run-TryBot: Carlos Amedee <carlos@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> TryBot-Result: Gopher Robot <gobot@golang.org>
…cters Rather than just a small set. Character class as defined by \s [0]. Thanks to Juho Nurminen of Mattermost for reporting this. For golang#59721 Fixes golang#59814 Fixes CVE-2023-24540 [0] https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions/Character_Classes Change-Id: I56d4fa1ef08125b417106ee7dbfb5b0923b901ba Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1821459 Reviewed-by: Julie Qiu <julieqiu@google.com> Run-TryBot: Roland Shoemaker <bracewell@google.com> Reviewed-by: Damien Neil <dneil@google.com> Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1851493 TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com> Run-TryBot: Damien Neil <dneil@google.com> Reviewed-by: Roland Shoemaker <bracewell@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/491356 Run-TryBot: Carlos Amedee <carlos@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> TryBot-Result: Gopher Robot <gobot@golang.org>
Not all valid JavaScript whitespace characters were considered to be whitespace. Templates containing whitespace characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be properly sanitized during execution.
Thanks to Juho Nurminen of Mattermost for reporting this issue.
This is CVE-2023-24540 and Go issue https://go.dev/issue/59721.
/cc @golang/security and @golang/release
The text was updated successfully, but these errors were encountered: