poky/meta/recipes-devtools/go/go-1.14/CVE-2023-24539.patch - openbmc/openbmc - Gitiles

 From 8673ca81e5340b87709db2d9749c92a3bf925df1 Mon Sep 17 00:00:00 2001
 From: Roland Shoemaker <bracewell@google.com>
 Date: Thu, 13 Apr 2023 15:40:44 -0700
 Subject: [PATCH] html/template: disallow angle brackets in CSS values

 Angle brackets should not appear in CSS contexts, as they may affect
 token boundaries (such as closing a <style> tag, resulting in
 injection). Instead emit filterFailsafe, matching the behavior for other
 dangerous characters.

 Thanks to Juho Nurminen of Mattermost for reporting this issue.

 Fixes #59720
 Fixes CVE-2023-24539

 Change-Id: Iccc659c9a18415992b0c05c178792228e3a7bae4
 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1826636
 Reviewed-by: Julie Qiu <julieqiu@google.com>
 Run-TryBot: Roland Shoemaker <bracewell@google.com>
 Reviewed-by: Damien Neil <dneil@google.com>
 Reviewed-on: https://go-review.googlesource.com/c/go/+/491615
 Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
 Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
 Run-TryBot: Carlos Amedee <carlos@golang.org>
 TryBot-Result: Gopher Robot <gobot@golang.org>

 Upstream-Status: Backport from [https://github.com/golang/go/commit/8673ca81e5340b87709db2d9749c92a3bf925df1]
 CVE: CVE-2023-24539
 Signed-off-by: Ashish Sharma <asharma@mvista.com>
 ---
  src/html/template/css.go      | 2 +-
  src/html/template/css_test.go | 2 ++
  2 files changed, 3 insertions(+), 1 deletion(-)

 diff --git a/src/html/template/css.go b/src/html/template/css.go
 index 890a0c6b227fe..f650d8b3e843a 100644
 --- a/src/html/template/css.go
 +++ b/src/html/template/css.go
 @@ -238,7 +238,7 @@ func cssValueFilter(args ...any) string {
  	// inside a string that might embed JavaScript source.
  	for i, c := range b {
  		switch c {
 -		case 0, '"', '\'', '(', ')', '/', ';', '@', '[', '\\', ']', '`', '{', '}':
 +		case 0, '"', '\'', '(', ')', '/', ';', '@', '[', '\\', ']', '`', '{', '}', '<', '>':
  			return filterFailsafe
  		case '-':
  			// Disallow <!-- or -->.
 diff --git a/src/html/template/css_test.go b/src/html/template/css_test.go
 index a735638b0314f..2b76256a766e9 100644
 --- a/src/html/template/css_test.go
 +++ b/src/html/template/css_test.go
 @@ -231,6 +231,8 @@ func TestCSSValueFilter(t *testing.T) {
  		{`-exp\000052 ession(alert(1337))`, "ZgotmplZ"},
  		{`-expre\0000073sion`, "-expre\x073sion"},
  		{`@import url evil.css`, "ZgotmplZ"},
 +		{"<", "ZgotmplZ"},
 +		{">", "ZgotmplZ"},
  	}
  	for _, test := range tests {
  		got := cssValueFilter(test.css)
	From 8673ca81e5340b87709db2d9749c92a3bf925df1 Mon Sep 17 00:00:00 2001
	From: Roland Shoemaker <bracewell@google.com>
	Date: Thu, 13 Apr 2023 15:40:44 -0700
	Subject: [PATCH] html/template: disallow angle brackets in CSS values

	Angle brackets should not appear in CSS contexts, as they may affect
	token boundaries (such as closing a <style> tag, resulting in
	injection). Instead emit filterFailsafe, matching the behavior for other
	dangerous characters.

	Thanks to Juho Nurminen of Mattermost for reporting this issue.

	Fixes #59720
	Fixes CVE-2023-24539

	Change-Id: Iccc659c9a18415992b0c05c178792228e3a7bae4
	Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1826636
	Reviewed-by: Julie Qiu <julieqiu@google.com>
	Run-TryBot: Roland Shoemaker <bracewell@google.com>
	Reviewed-by: Damien Neil <dneil@google.com>
	Reviewed-on: https://go-review.googlesource.com/c/go/+/491615
	Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
	Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
	Run-TryBot: Carlos Amedee <carlos@golang.org>
	TryBot-Result: Gopher Robot <gobot@golang.org>

	Upstream-Status: Backport from [https://github.com/golang/go/commit/8673ca81e5340b87709db2d9749c92a3bf925df1]
	CVE: CVE-2023-24539
	Signed-off-by: Ashish Sharma <asharma@mvista.com>
	---
	src/html/template/css.go \| 2 +-
	src/html/template/css_test.go \| 2 ++
	2 files changed, 3 insertions(+), 1 deletion(-)

	diff --git a/src/html/template/css.go b/src/html/template/css.go
	index 890a0c6b227fe..f650d8b3e843a 100644
	--- a/src/html/template/css.go
	+++ b/src/html/template/css.go
	@@ -238,7 +238,7 @@ func cssValueFilter(args ...any) string {
	// inside a string that might embed JavaScript source.
	for i, c := range b {
	switch c {
	- case 0, '"', '\'', '(', ')', '/', ';', '@', '[', '\\', ']', '`', '{', '}':
	+ case 0, '"', '\'', '(', ')', '/', ';', '@', '[', '\\', ']', '`', '{', '}', '<', '>':
	return filterFailsafe
	case '-':
	// Disallow <!-- or -->.
	diff --git a/src/html/template/css_test.go b/src/html/template/css_test.go
	index a735638b0314f..2b76256a766e9 100644
	--- a/src/html/template/css_test.go
	+++ b/src/html/template/css_test.go
	@@ -231,6 +231,8 @@ func TestCSSValueFilter(t *testing.T) {
	{`-exp\000052 ession(alert(1337))`, "ZgotmplZ"},
	{`-expre\0000073sion`, "-expre\x073sion"},
	{`@import url evil.css`, "ZgotmplZ"},
	+ {"<", "ZgotmplZ"},
	+ {">", "ZgotmplZ"},
	}
	for _, test := range tests {
	got := cssValueFilter(test.css)