-
Notifications
You must be signed in to change notification settings - Fork 17.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
html/template: improper sanitization of CSS values #59720
Comments
@gopherbot please open backport issues for this security fix |
Backport issue(s) opened: #59811 (for 1.19), #59812 (for 1.20). Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases. |
Change https://go.dev/cl/491335 mentions this issue: |
Change https://go.dev/cl/491336 mentions this issue: |
… values Angle brackets should not appear in CSS contexts, as they may affect token boundaries (such as closing a <style> tag, resulting in injection). Instead emit filterFailsafe, matching the behavior for other dangerous characters. Thanks to Juho Nurminen of Mattermost for reporting this issue. For #59720 Fixes #59811 Fixes CVE-2023-24539 Change-Id: Iccc659c9a18415992b0c05c178792228e3a7bae4 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1826636 Reviewed-by: Julie Qiu <[email protected]> Run-TryBot: Roland Shoemaker <[email protected]> Reviewed-by: Damien Neil <[email protected]> Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1851496 Run-TryBot: Damien Neil <[email protected]> Reviewed-by: Roland Shoemaker <[email protected]> Reviewed-on: https://go-review.googlesource.com/c/go/+/491335 Run-TryBot: Carlos Amedee <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]> TryBot-Result: Gopher Robot <[email protected]>
… values Angle brackets should not appear in CSS contexts, as they may affect token boundaries (such as closing a <style> tag, resulting in injection). Instead emit filterFailsafe, matching the behavior for other dangerous characters. Thanks to Juho Nurminen of Mattermost for reporting this issue. For #59720 Fixes #59812 Fixes CVE-2023-24539 Change-Id: Iccc659c9a18415992b0c05c178792228e3a7bae4 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1826636 Reviewed-by: Julie Qiu <[email protected]> Run-TryBot: Roland Shoemaker <[email protected]> Reviewed-by: Damien Neil <[email protected]> Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1851492 Run-TryBot: Damien Neil <[email protected]> Reviewed-by: Roland Shoemaker <[email protected]> TryBot-Result: Security TryBots <[email protected]> Reviewed-on: https://go-review.googlesource.com/c/go/+/491336 Run-TryBot: Carlos Amedee <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]>
Change https://go.dev/cl/491615 mentions this issue: |
… values Angle brackets should not appear in CSS contexts, as they may affect token boundaries (such as closing a <style> tag, resulting in injection). Instead emit filterFailsafe, matching the behavior for other dangerous characters. Thanks to Juho Nurminen of Mattermost for reporting this issue. For golang#59720 Fixes golang#59812 Fixes CVE-2023-24539 Change-Id: Iccc659c9a18415992b0c05c178792228e3a7bae4 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1826636 Reviewed-by: Julie Qiu <[email protected]> Run-TryBot: Roland Shoemaker <[email protected]> Reviewed-by: Damien Neil <[email protected]> Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1851492 Run-TryBot: Damien Neil <[email protected]> Reviewed-by: Roland Shoemaker <[email protected]> TryBot-Result: Security TryBots <[email protected]> Reviewed-on: https://go-review.googlesource.com/c/go/+/491336 Run-TryBot: Carlos Amedee <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]>
… values Angle brackets should not appear in CSS contexts, as they may affect token boundaries (such as closing a <style> tag, resulting in injection). Instead emit filterFailsafe, matching the behavior for other dangerous characters. Thanks to Juho Nurminen of Mattermost for reporting this issue. For golang#59720 Fixes golang#59812 Fixes CVE-2023-24539 Change-Id: Iccc659c9a18415992b0c05c178792228e3a7bae4 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1826636 Reviewed-by: Julie Qiu <[email protected]> Run-TryBot: Roland Shoemaker <[email protected]> Reviewed-by: Damien Neil <[email protected]> Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1851492 Run-TryBot: Damien Neil <[email protected]> Reviewed-by: Roland Shoemaker <[email protected]> TryBot-Result: Security TryBots <[email protected]> Reviewed-on: https://go-review.googlesource.com/c/go/+/491336 Run-TryBot: Carlos Amedee <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]>
Angle brackets (<>) were not considered dangerous characters when inserted into CSS contexts. Templates containing multiple actions separated by a '/' character could result in unexpectedly closing the CSS context and allowing for injection of unexpected HMTL, if executed with untrusted input.
Thanks to Juho Nurminen of Mattermost for reporting this issue.
This is CVE-2023-24539 and Go issue https://go.dev/issue/59720.
/cc @golang/security and @golang/release
The text was updated successfully, but these errors were encountered: