-
Notifications
You must be signed in to change notification settings - Fork 17.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
path/filepath: Clean(.\c:
) returns c:
on Windows
#52476
Comments
diff --git a/src/path/filepath/path.go b/src/path/filepath/path.go
index ec9e6d8a1f..d6257b9fe5 100644
--- a/src/path/filepath/path.go
+++ b/src/path/filepath/path.go
@@ -117,9 +117,18 @@ func Clean(path string) string {
case os.IsPathSeparator(path[r]):
// empty path element
r++
- case path[r] == '.' && (r+1 == n || os.IsPathSeparator(path[r+1])):
+ case path[r] == '.' && r+1 == n:
// . element
r++
+ case path[r] == '.' && os.IsPathSeparator(path[r+1]):
+ // ./ element
+ r++
+ for os.IsPathSeparator(path[r]) {
+ r++
+ }
+ if out.w == 0 && IsAbs(path[r:]) {
+ return originalPath
+ }
case path[r] == '.' && path[r+1] == '.' && (r+2 == n || os.IsPathSeparator(path[r+2])):
// .. element: remove to last separator
r += 2 |
Hmm, this patch still have problem. When the base path is |
Change https://go.dev/cl/401595 mentions this issue: |
@ianlancetaylor This is security issue. So we have to make backports for older versions. |
@gopherbot Please open backport issues. Avoid confusion with ./C: paths. |
Backport issue(s) opened: #52478 (for 1.17), #52479 (for 1.18). Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases. |
Change https://go.dev/cl/405234 mentions this issue: |
Change https://go.dev/cl/405235 mentions this issue: |
…following path contains ":". For #52476 Fixes #52479 Fixes CVE-2022-29804 Change-Id: I9eb72ac7dbccd6322d060291f31831dc389eb9bb Reviewed-on: https://go-review.googlesource.com/c/go/+/401595 Auto-Submit: Ian Lance Taylor <iant@google.com> Reviewed-by: Alex Brainman <alex.brainman@gmail.com> Run-TryBot: Ian Lance Taylor <iant@google.com> Reviewed-by: Ian Lance Taylor <iant@google.com> Reviewed-by: Damien Neil <dneil@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-on: https://go-review.googlesource.com/c/go/+/405234 Reviewed-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
…following path contains ":". For #52476 Fixes #52478 Fixes CVE-2022-29804 Change-Id: I9eb72ac7dbccd6322d060291f31831dc389eb9bb Reviewed-on: https://go-review.googlesource.com/c/go/+/401595 Auto-Submit: Ian Lance Taylor <iant@google.com> Reviewed-by: Alex Brainman <alex.brainman@gmail.com> Run-TryBot: Ian Lance Taylor <iant@google.com> Reviewed-by: Ian Lance Taylor <iant@google.com> Reviewed-by: Damien Neil <dneil@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-on: https://go-review.googlesource.com/c/go/+/405235 Reviewed-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
What version of Go are you using (
go version
)?Does this issue reproduce with the latest release?
Yes
What operating system and processor architecture are you using (
go env
)?go env
OutputWhat did you do?
What did you expect to see?
That the paths are equivalent.
What did you see instead?
They are not equivalent.
Implications
It can lead to unexpected behavior:
http://localhost:8080/c:/Users/ lists the directory content of
C:\Users\
.The text was updated successfully, but these errors were encountered: