cmd/go: "go env" output does not sanitize values #58508
Labels
FrozenDueToAge
GoCommand
cmd/go
NeedsFix
The path to resolution is known, but the work has not been done.
Security
Milestone
go env
is documented as outputting a shell script containing Go the environment:However,
go env
doesn't sanitize values, so executing its output as a shell script can cause various bad bahaviors, including executing arbitrary commands:Or inserting new environment variables:
In general, if an attacker can set arbitrary environment variables on a system, they have better attack vectors than making go env print them out, but we still should be sanitizing the output here. Treating this as a PUBLIC track vulnerability because the scenarios where this results in a vulnerability are fairly artificial, and the correct fix is not immediately obvious. (Properly quoting values seems like an obvious fix, but shell quoting is subtle.)
This is CVE-2023-24531.
Thanks to Hunter Wittenborn (https://hunterwittenborn.com/) for reporting this issue.
The text was updated successfully, but these errors were encountered: