| From 8673ca81e5340b87709db2d9749c92a3bf925df1 Mon Sep 17 00:00:00 2001 |
| From: Roland Shoemaker <bracewell@google.com> |
| Date: Thu, 13 Apr 2023 15:40:44 -0700 |
| Subject: [PATCH] html/template: disallow angle brackets in CSS values |
| |
| Angle brackets should not appear in CSS contexts, as they may affect |
| token boundaries (such as closing a <style> tag, resulting in |
| injection). Instead emit filterFailsafe, matching the behavior for other |
| dangerous characters. |
| |
| Thanks to Juho Nurminen of Mattermost for reporting this issue. |
| |
| Fixes #59720 |
| Fixes CVE-2023-24539 |
| |
| Change-Id: Iccc659c9a18415992b0c05c178792228e3a7bae4 |
| Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1826636 |
| Reviewed-by: Julie Qiu <julieqiu@google.com> |
| Run-TryBot: Roland Shoemaker <bracewell@google.com> |
| Reviewed-by: Damien Neil <dneil@google.com> |
| Reviewed-on: https://go-review.googlesource.com/c/go/+/491615 |
| Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org> |
| Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> |
| Run-TryBot: Carlos Amedee <carlos@golang.org> |
| TryBot-Result: Gopher Robot <gobot@golang.org> |
| |
| Upstream-Status: Backport from [https://github.com/golang/go/commit/8673ca81e5340b87709db2d9749c92a3bf925df1] |
| CVE: CVE-2023-24539 |
| Signed-off-by: Ashish Sharma <asharma@mvista.com> |
| --- |
| src/html/template/css.go | 2 +- |
| src/html/template/css_test.go | 2 ++ |
| 2 files changed, 3 insertions(+), 1 deletion(-) |
| |
| diff --git a/src/html/template/css.go b/src/html/template/css.go |
| index 890a0c6b227fe..f650d8b3e843a 100644 |
| --- a/src/html/template/css.go |
| +++ b/src/html/template/css.go |
| @@ -238,7 +238,7 @@ func cssValueFilter(args ...any) string { |
| // inside a string that might embed JavaScript source. |
| for i, c := range b { |
| switch c { |
| - case 0, '"', '\'', '(', ')', '/', ';', '@', '[', '\\', ']', '`', '{', '}': |
| + case 0, '"', '\'', '(', ')', '/', ';', '@', '[', '\\', ']', '`', '{', '}', '<', '>': |
| return filterFailsafe |
| case '-': |
| // Disallow <!-- or -->. |
| diff --git a/src/html/template/css_test.go b/src/html/template/css_test.go |
| index a735638b0314f..2b76256a766e9 100644 |
| --- a/src/html/template/css_test.go |
| +++ b/src/html/template/css_test.go |
| @@ -231,6 +231,8 @@ func TestCSSValueFilter(t *testing.T) { |
| {`-exp\000052 ession(alert(1337))`, "ZgotmplZ"}, |
| {`-expre\0000073sion`, "-expre\x073sion"}, |
| {`@import url evil.css`, "ZgotmplZ"}, |
| + {"<", "ZgotmplZ"}, |
| + {">", "ZgotmplZ"}, |
| } |
| for _, test := range tests { |
| got := cssValueFilter(test.css) |