html/template: improper handling of JavaScript whitespace #59721
Labels
FrozenDueToAge
NeedsFix
The path to resolution is known, but the work has not been done.
release-blocker
Security
Milestone
Comments
prattmic
added
the
NeedsFix
|
@gopherbot please open backport issues for this security fix |
This was referenced Apr 24, 2023
|
Backport issue(s) opened: #59813 (for 1.19), #59814 (for 1.20). Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases. |
|
Change https://go.dev/cl/491355 mentions this issue: |
|
Change https://go.dev/cl/491356 mentions this issue: |
gopherbot
pushed a commit
that referenced
this issue
May 2, 2023
…cters Rather than just a small set. Character class as defined by \s [0]. Thanks to Juho Nurminen of Mattermost for reporting this. For #59721 Fixes #59813 Fixes CVE-2023-24540 [0] https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions/Character_Classes Change-Id: I56d4fa1ef08125b417106ee7dbfb5b0923b901ba Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1821459 Reviewed-by: Julie Qiu <[email protected]> Run-TryBot: Roland Shoemaker <[email protected]> Reviewed-by: Damien Neil <[email protected]> Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1851497 Run-TryBot: Damien Neil <[email protected]> Reviewed-by: Roland Shoemaker <[email protected]> Reviewed-on: https://go-review.googlesource.com/c/go/+/491355 Reviewed-by: Dmitri Shuralyov <[email protected]> Reviewed-by: Carlos Amedee <[email protected]> TryBot-Bypass: Carlos Amedee <[email protected]> Run-TryBot: Carlos Amedee <[email protected]>
gopherbot
pushed a commit
that referenced
this issue
May 2, 2023
…cters Rather than just a small set. Character class as defined by \s [0]. Thanks to Juho Nurminen of Mattermost for reporting this. For #59721 Fixes #59814 Fixes CVE-2023-24540 [0] https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions/Character_Classes Change-Id: I56d4fa1ef08125b417106ee7dbfb5b0923b901ba Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1821459 Reviewed-by: Julie Qiu <[email protected]> Run-TryBot: Roland Shoemaker <[email protected]> Reviewed-by: Damien Neil <[email protected]> Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1851493 TryBot-Result: Security TryBots <[email protected]> Run-TryBot: Damien Neil <[email protected]> Reviewed-by: Roland Shoemaker <[email protected]> Reviewed-on: https://go-review.googlesource.com/c/go/+/491356 Run-TryBot: Carlos Amedee <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]> TryBot-Result: Gopher Robot <[email protected]>
cagedmantis
changed the title
|
Change https://go.dev/cl/491616 mentions this issue: |
bradfitz
pushed a commit
to tailscale/go
that referenced
this issue
May 25, 2023
…cters Rather than just a small set. Character class as defined by \s [0]. Thanks to Juho Nurminen of Mattermost for reporting this. For golang#59721 Fixes golang#59814 Fixes CVE-2023-24540 [0] https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions/Character_Classes Change-Id: I56d4fa1ef08125b417106ee7dbfb5b0923b901ba Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1821459 Reviewed-by: Julie Qiu <[email protected]> Run-TryBot: Roland Shoemaker <[email protected]> Reviewed-by: Damien Neil <[email protected]> Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1851493 TryBot-Result: Security TryBots <[email protected]> Run-TryBot: Damien Neil <[email protected]> Reviewed-by: Roland Shoemaker <[email protected]> Reviewed-on: https://go-review.googlesource.com/c/go/+/491356 Run-TryBot: Carlos Amedee <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]> TryBot-Result: Gopher Robot <[email protected]>
bradfitz
pushed a commit
to tailscale/go
that referenced
this issue
May 25, 2023
…cters Rather than just a small set. Character class as defined by \s [0]. Thanks to Juho Nurminen of Mattermost for reporting this. For golang#59721 Fixes golang#59814 Fixes CVE-2023-24540 [0] https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions/Character_Classes Change-Id: I56d4fa1ef08125b417106ee7dbfb5b0923b901ba Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1821459 Reviewed-by: Julie Qiu <[email protected]> Run-TryBot: Roland Shoemaker <[email protected]> Reviewed-by: Damien Neil <[email protected]> Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1851493 TryBot-Result: Security TryBots <[email protected]> Run-TryBot: Damien Neil <[email protected]> Reviewed-by: Roland Shoemaker <[email protected]> Reviewed-on: https://go-review.googlesource.com/c/go/+/491356 Run-TryBot: Carlos Amedee <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]> TryBot-Result: Gopher Robot <[email protected]>
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Not all valid JavaScript whitespace characters were considered to be whitespace. Templates containing whitespace characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be properly sanitized during execution.
Thanks to Juho Nurminen of Mattermost for reporting this issue.
This is CVE-2023-24540 and Go issue https://go.dev/issue/59721.
/cc @golang/security and @golang/release
The text was updated successfully, but these errors were encountered: