Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

html/template: backticks not treated as string delimiters (CVE-2023-24538) [1.19 backport] #59271

Closed
gopherbot opened this issue Mar 27, 2023 · 4 comments
Labels
CherryPickApproved Used during the release process for point releases FrozenDueToAge Security
Milestone

Comments

@gopherbot
Copy link
Contributor

@julieqiu requested issue #59234 to be considered for backport to the next 1.19 minor release.

@gopherbot please open backport issues.

@gopherbot gopherbot added the CherryPickCandidate Used during the release process for point releases label Mar 27, 2023
@gopherbot gopherbot added this to the Go1.19.8 milestone Mar 27, 2023
@gopherbot
Copy link
Contributor Author

Change https://go.dev/cl/481981 mentions this issue: [release-branch.go1.19] html/template: disallow actions in JS template literals

@gopherbot
Copy link
Contributor Author

Change https://go.dev/cl/481987 mentions this issue: [release-branch.go1.19] html/template: disallow actions in JS template literals

gopherbot pushed a commit that referenced this issue Apr 4, 2023
…e literals

ECMAScript 6 introduced template literals[0][1] which are delimited with
backticks. These need to be escaped in a similar fashion to the
delimiters for other string literals. Additionally template literals can
contain special syntax for string interpolation.

There is no clear way to allow safe insertion of actions within JS
template literals, as handling (JS) string interpolation inside of these
literals is rather complex. As such we've chosen to simply disallow
template actions within these template literals.

A new error code is added for this parsing failure case, errJsTmplLit,
but it is unexported as it is not backwards compatible with other minor
release versions to introduce an API change in a minor release. We will
export this code in the next major release.

The previous behavior (with the cavet that backticks are now escaped
properly) can be re-enabled with GODEBUG=jstmpllitinterp=1.

This change subsumes CL471455.

Thanks to Sohom Datta, Manipal Institute of Technology, for reporting
this issue.

Fixes CVE-2023-24538
For #59234
Fixes #59271

[0] https://tc39.es/ecma262/multipage/ecmascript-language-expressions.html#sec-template-literals
[1] https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Template_literals

Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802457
Reviewed-by: Damien Neil <[email protected]>
Run-TryBot: Damien Neil <[email protected]>
Reviewed-by: Julie Qiu <[email protected]>
Reviewed-by: Roland Shoemaker <[email protected]>
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802612
Run-TryBot: Roland Shoemaker <[email protected]>
Change-Id: Ic7f10595615f2b2740d9c85ad7ef40dc0e78c04c
Reviewed-on: https://go-review.googlesource.com/c/go/+/481987
Auto-Submit: Michael Knyszek <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Run-TryBot: Michael Knyszek <[email protected]>
Reviewed-by: Matthew Dempsky <[email protected]>
@gopherbot
Copy link
Contributor Author

Closed by merging b1e3ecf to release-branch.go1.19.

@mknyszek mknyszek changed the title security: fix CVE-2023-24538 [1.19 backport] html/template: backticks not treated as string delimiters (CVE-2023-24538) [1.19 backport] Apr 4, 2023
@mknyszek mknyszek added the CherryPickApproved Used during the release process for point releases label Apr 4, 2023
@gopherbot gopherbot removed the CherryPickCandidate Used during the release process for point releases label Apr 4, 2023
@gopherbot
Copy link
Contributor Author

Change https://go.dev/cl/482535 mentions this issue: [release-branch.go1.19] html/template,mime/multipart: document new GODEBUG settings

gopherbot pushed a commit that referenced this issue Apr 5, 2023
…DEBUG settings

This change documents the new GODEBUG settings introduced for
html/template and mime/multipart, released with Go 1.19.8 and Go 1.20.3
as part of a security fix.

Updates #59153.
For #59269.
Updates #59234.
For #59271.

Change-Id: I25f4d8245da3301dccccfb44da8ff1a5985392a4
Reviewed-on: https://go-review.googlesource.com/c/go/+/482535
TryBot-Result: Gopher Robot <[email protected]>
Auto-Submit: Michael Knyszek <[email protected]>
Reviewed-by: Damien Neil <[email protected]>
Run-TryBot: Michael Knyszek <[email protected]>
@golang golang locked and limited conversation to collaborators Apr 4, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
CherryPickApproved Used during the release process for point releases FrozenDueToAge Security
Projects
None yet
Development

No branches or pull requests

3 participants