Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

html/template: improper handling of JavaScript whitespace #59721

Closed
rolandshoemaker opened this issue Apr 19, 2023 · 5 comments
Closed

html/template: improper handling of JavaScript whitespace #59721

rolandshoemaker opened this issue Apr 19, 2023 · 5 comments
Labels
NeedsFix The path to resolution is known, but the work has not been done. release-blocker Security
Milestone

Comments

@rolandshoemaker
Copy link
Member

rolandshoemaker commented Apr 19, 2023

Not all valid JavaScript whitespace characters were considered to be whitespace. Templates containing whitespace characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be properly sanitized during execution.

Thanks to Juho Nurminen of Mattermost for reporting this issue.

This is CVE-2023-24540 and Go issue https://go.dev/issue/59721.

/cc @golang/security and @golang/release

@prattmic prattmic added the NeedsFix The path to resolution is known, but the work has not been done. label Apr 21, 2023
@prattmic prattmic added this to the Go1.21 milestone Apr 21, 2023
@neild
Copy link
Contributor

neild commented Apr 24, 2023

@gopherbot please open backport issues for this security fix

@gopherbot
Copy link

Backport issue(s) opened: #59813 (for 1.19), #59814 (for 1.20).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

@gopherbot
Copy link

Change https://go.dev/cl/491355 mentions this issue: [release-branch.go1.19] html/template: handle all JS whitespace characters

@gopherbot
Copy link

Change https://go.dev/cl/491356 mentions this issue: [release-branch.go1.20] html/template: handle all JS whitespace characters

gopherbot pushed a commit that referenced this issue May 2, 2023
…cters

Rather than just a small set. Character class as defined by \s [0].

Thanks to Juho Nurminen of Mattermost for reporting this.

For #59721
Fixes  #59813
Fixes CVE-2023-24540

[0] https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions/Character_Classes

Change-Id: I56d4fa1ef08125b417106ee7dbfb5b0923b901ba
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1821459
Reviewed-by: Julie Qiu <julieqiu@google.com>
Run-TryBot: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1851497
Run-TryBot: Damien Neil <dneil@google.com>
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/491355
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Carlos Amedee <carlos@golang.org>
TryBot-Bypass: Carlos Amedee <carlos@golang.org>
Run-TryBot: Carlos Amedee <carlos@golang.org>
gopherbot pushed a commit that referenced this issue May 2, 2023
…cters

Rather than just a small set. Character class as defined by \s [0].

Thanks to Juho Nurminen of Mattermost for reporting this.

For #59721
Fixes #59814
Fixes CVE-2023-24540

[0] https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions/Character_Classes

Change-Id: I56d4fa1ef08125b417106ee7dbfb5b0923b901ba
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1821459
Reviewed-by: Julie Qiu <julieqiu@google.com>
Run-TryBot: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1851493
TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
Run-TryBot: Damien Neil <dneil@google.com>
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/491356
Run-TryBot: Carlos Amedee <carlos@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
@cagedmantis cagedmantis changed the title security: fix CVE-2023-24540 html/template: improper handling of JavaScript whitespace May 2, 2023
@gopherbot
Copy link

Change https://go.dev/cl/491616 mentions this issue: html/template: handle all JS whitespace characters

bradfitz pushed a commit to tailscale/go that referenced this issue May 25, 2023
…cters

Rather than just a small set. Character class as defined by \s [0].

Thanks to Juho Nurminen of Mattermost for reporting this.

For golang#59721
Fixes golang#59814
Fixes CVE-2023-24540

[0] https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions/Character_Classes

Change-Id: I56d4fa1ef08125b417106ee7dbfb5b0923b901ba
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1821459
Reviewed-by: Julie Qiu <julieqiu@google.com>
Run-TryBot: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1851493
TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
Run-TryBot: Damien Neil <dneil@google.com>
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/491356
Run-TryBot: Carlos Amedee <carlos@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
bradfitz pushed a commit to tailscale/go that referenced this issue May 25, 2023
…cters

Rather than just a small set. Character class as defined by \s [0].

Thanks to Juho Nurminen of Mattermost for reporting this.

For golang#59721
Fixes golang#59814
Fixes CVE-2023-24540

[0] https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions/Character_Classes

Change-Id: I56d4fa1ef08125b417106ee7dbfb5b0923b901ba
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1821459
Reviewed-by: Julie Qiu <julieqiu@google.com>
Run-TryBot: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1851493
TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
Run-TryBot: Damien Neil <dneil@google.com>
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/491356
Run-TryBot: Carlos Amedee <carlos@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
NeedsFix The path to resolution is known, but the work has not been done. release-blocker Security
Projects
None yet
Development

No branches or pull requests

4 participants