-
Notifications
You must be signed in to change notification settings - Fork 3.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
crypto/hd: make DerivePrivateKeyForPath error and not panic on trailing slashes #8607
Merged
mergify
merged 1 commit into
master
from
crypto-hd-make-DerivePrivateKeyForPath-not-panic
Feb 17, 2021
Merged
crypto/hd: make DerivePrivateKeyForPath error and not panic on trailing slashes #8607
mergify
merged 1 commit into
master
from
crypto-hd-make-DerivePrivateKeyForPath-not-panic
Feb 17, 2021
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ng slashes Detected during my audit, right before fuzzing, the code that checked for presence of hyphens per path segment assumed that the part would always be non-empty. However, with paths such as: * m/4/ * /44/ * m/4/// it'd panic with a runtime slice out of bounds. With this new change, we now: * firstly strip the right trailing slash * on finding any empty segments of a path return an error Fixes #8557
odeke-em
force-pushed
the
crypto-hd-make-DerivePrivateKeyForPath-not-panic
branch
from
February 17, 2021 10:17
b757615
to
a962bac
Compare
This PR fixes a security issue, so kindly also backport :-) |
alessio
approved these changes
Feb 17, 2021
alessio
requested review from
amaury1093,
fdymylja,
jgimeno,
sahith-narahari and
robert-zaremba
February 17, 2021 10:20
jgimeno
approved these changes
Feb 17, 2021
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good one!
alessio
added
the
A:automerge
Automatically merge PR once all prerequisites pass.
label
Feb 17, 2021
mergify
bot
deleted the
crypto-hd-make-DerivePrivateKeyForPath-not-panic
branch
February 17, 2021 10:30
@Mergifyio backport release/v0.41.x |
Command
|
mergify bot
pushed a commit
that referenced
this pull request
Feb 17, 2021
…ng slashes (#8607) Detected during my audit, right before fuzzing, the code that checked for presence of hyphens per path segment assumed that the part would always be non-empty. However, with paths such as: * m/4/ * /44/ * m/4/// it'd panic with a runtime slice out of bounds. With this new change, we now: * firstly strip the right trailing slash * on finding any empty segments of a path return an error Fixes #8557 (cherry picked from commit f970056)
alessio
pushed a commit
that referenced
this pull request
Feb 17, 2021
…ng slashes (#8607) (#8608) Detected during my audit, right before fuzzing, the code that checked for presence of hyphens per path segment assumed that the part would always be non-empty. However, with paths such as: * m/4/ * /44/ * m/4/// it'd panic with a runtime slice out of bounds. With this new change, we now: * firstly strip the right trailing slash * on finding any empty segments of a path return an error Fixes #8557 (cherry picked from commit f970056) Co-authored-by: Emmanuel T Odeke <[email protected]>
4 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Detected during my audit, right before fuzzing, the code that
checked for presence of hyphens per path segment assumed that
the part would always be non-empty. However, with paths such as:
it'd panic with a runtime slice out of bounds.
With this new change, we now:
Fixes #8557
Before we can merge this PR, please make sure that all the following items have been
checked off. If any of the checklist items are not applicable, please leave them but
write a little note why.
docs/
) or specification (x/<module>/spec/
)godoc
comments.Unreleased
section inCHANGELOG.md
Files changed
in the Github PR explorerCodecov Report
in the comment section below once CI passes