html/template: backticks not treated as string delimiters (CVE-2023-24538) [1.20 backport] #59272

gopherbot · 2023-03-27T15:05:47Z

@julieqiu requested issue #59234 to be considered for backport to the next 1.20 minor release.

@gopherbot please open backport issues.

gopherbot · 2023-04-04T16:31:11Z

Change https://go.dev/cl/481993 mentions this issue: [release-branch.go1.20] html/template: disallow actions in JS template literals

…e literals ECMAScript 6 introduced template literals[0][1] which are delimited with backticks. These need to be escaped in a similar fashion to the delimiters for other string literals. Additionally template literals can contain special syntax for string interpolation. There is no clear way to allow safe insertion of actions within JS template literals, as handling (JS) string interpolation inside of these literals is rather complex. As such we've chosen to simply disallow template actions within these template literals. A new error code is added for this parsing failure case, errJsTmplLit, but it is unexported as it is not backwards compatible with other minor release versions to introduce an API change in a minor release. We will export this code in the next major release. The previous behavior (with the cavet that backticks are now escaped properly) can be re-enabled with GODEBUG=jstmpllitinterp=1. This change subsumes CL471455. Thanks to Sohom Datta, Manipal Institute of Technology, for reporting this issue. Fixes CVE-2023-24538 For #59234 Fixes #59272 [0] https://tc39.es/ecma262/multipage/ecmascript-language-expressions.html#sec-template-literals [1] https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Template_literals Change-Id: Idff74ec386e9b73d6e9a3c9f71990eabc0ce7506 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802457 Reviewed-by: Damien Neil <dneil@google.com> Run-TryBot: Damien Neil <dneil@google.com> Reviewed-by: Julie Qiu <julieqiu@google.com> Reviewed-by: Roland Shoemaker <bracewell@google.com> Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802688 Run-TryBot: Roland Shoemaker <bracewell@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/481993 Run-TryBot: Michael Knyszek <mknyszek@google.com> Auto-Submit: Michael Knyszek <mknyszek@google.com> TryBot-Bypass: Michael Knyszek <mknyszek@google.com> Reviewed-by: Matthew Dempsky <mdempsky@google.com>

gopherbot · 2023-04-04T17:02:04Z

Closed by merging 20374d1 to release-branch.go1.20.

gopherbot · 2023-04-05T15:39:37Z

Change https://go.dev/cl/482555 mentions this issue: [release-branch.go1.20] html/template,mime/multipart: document new GODEBUG settings

…DEBUG settings This change documents the new GODEBUG settings introduced for html/template and mime/multipart, released with Go 1.19.8 and Go 1.20.3 as part of a security fix. Updates #59153. For #59270. Updates #59234. For #59272. Change-Id: I25f4d8245da3301dccccfb44da8ff1a5985392a4 Reviewed-on: https://go-review.googlesource.com/c/go/+/482555 TryBot-Result: Gopher Robot <gobot@golang.org> Auto-Submit: Michael Knyszek <mknyszek@google.com> Reviewed-by: Damien Neil <dneil@google.com> Run-TryBot: Michael Knyszek <mknyszek@google.com>

…DEBUG settings This change documents the new GODEBUG settings introduced for html/template and mime/multipart, released with Go 1.19.8 and Go 1.20.3 as part of a security fix. Updates golang#59153. For golang#59270. Updates golang#59234. For golang#59272. Change-Id: I25f4d8245da3301dccccfb44da8ff1a5985392a4 Reviewed-on: https://go-review.googlesource.com/c/go/+/482555 TryBot-Result: Gopher Robot <gobot@golang.org> Auto-Submit: Michael Knyszek <mknyszek@google.com> Reviewed-by: Damien Neil <dneil@google.com> Run-TryBot: Michael Knyszek <mknyszek@google.com>

gopherbot added the CherryPickCandidate Used during the release process for point releases label Mar 27, 2023

gopherbot mentioned this issue Mar 27, 2023

html/template: backticks not treated as string delimiters (CVE-2023-24538) #59234

Closed

gopherbot added this to the Go1.20.3 milestone Mar 27, 2023

dmitshur added the Security label Mar 29, 2023

gopherbot closed this as completed Apr 4, 2023

mknyszek changed the title ~~security: fix CVE-2023-24538 [1.20 backport]~~ html/template: backticks not treated as string delimiters (CVE-2023-24538) [1.20 backport] Apr 4, 2023

mknyszek added the CherryPickApproved Used during the release process for point releases label Apr 4, 2023

gopherbot removed the CherryPickCandidate Used during the release process for point releases label Apr 4, 2023

golang locked and limited conversation to collaborators Apr 4, 2024

gopherbot added the FrozenDueToAge label Apr 4, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

html/template: backticks not treated as string delimiters (CVE-2023-24538) [1.20 backport] #59272

html/template: backticks not treated as string delimiters (CVE-2023-24538) [1.20 backport] #59272

gopherbot commented Mar 27, 2023

gopherbot commented Apr 4, 2023

gopherbot commented Apr 4, 2023

gopherbot commented Apr 5, 2023

html/template: backticks not treated as string delimiters (CVE-2023-24538) [1.20 backport] #59272

html/template: backticks not treated as string delimiters (CVE-2023-24538) [1.20 backport] #59272

Comments

gopherbot commented Mar 27, 2023

gopherbot commented Apr 4, 2023

gopherbot commented Apr 4, 2023

gopherbot commented Apr 5, 2023