Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

html/template: improper handling of HTML-like comments within script contexts (CVE-2023-39318) #62196

Closed
rolandshoemaker opened this issue Aug 21, 2023 · 5 comments
Closed

html/template: improper handling of HTML-like comments within script contexts (CVE-2023-39318) #62196

rolandshoemaker opened this issue Aug 21, 2023 · 5 comments
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done. release-blocker Security
Milestone
Go1.22

Comments

@rolandshoemaker
Copy link
Member

rolandshoemaker commented Aug 21, 2023
edited by cherrymui
Loading

The html/template package did not properly handle HMTL-like ""
comment tokens, nor hashbang "#!" comment tokens, in <script> contexts. This may
cause the template parser to improperly interpret the contents of <script>
contexts, causing actions to be improperly escaped. This could be leveraged to
perform an XSS attack.

Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for reporting this
issue.

This is CVE-2023-39318 and Go issue https://go.dev/issue/62196.

This is a PRIVATE issue for CVE-2023-39318, tracked in http://b/293889520 and fixed by http://tg/c/1976593.

/cc @golang/security and @golang/release
@rolandshoemaker rolandshoemaker added this to the Go1.22 milestone Aug 21, 2023
@cagedmantis cagedmantis added the NeedsFix The path to resolution is known, but the work has not been done. label Aug 22, 2023
@rolandshoemaker
Copy link
Member Author

@gopherbot please open backport issues.

This was referenced Aug 31, 2023
Closed
Closed
@gopherbot
Copy link
Contributor

Backport issue(s) opened: #62395 (for 1.20), #62396 (for 1.21).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/526096 mentions this issue: [release-branch.go1.21] html/template: support HTML-like comments in script contexts

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/526098 mentions this issue: [release-branch.go1.20] html/template: support HTML-like comments in script contexts

gopherbot pushed a commit that referenced this issue Sep 6, 2023
@rolandshoemaker @cherrymui
[release-branch.go1.21] html/template: support HTML-like comments in …
b0e1d3e 
…script contexts

Per Appendix B.1.1 of the ECMAScript specification, support HTML-like
comments in script contexts. Also per section 12.5, support hashbang
comments. This brings our parsing in-line with how browsers treat these
comment types.

Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for
reporting this issue.

Fixes #62196
Fixes #62396
Fixes CVE-2023-39318

Change-Id: Id512702c5de3ae46cf648e268cb10e1eb392a181
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1976593
Run-TryBot: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2014618
Reviewed-on: https://go-review.googlesource.com/c/go/+/526096
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Cherry Mui <cherryyz@google.com>
gopherbot pushed a commit that referenced this issue Sep 6, 2023
@rolandshoemaker @cherrymui
[release-branch.go1.20] html/template: support HTML-like comments in …
023b542 
…script contexts

Per Appendix B.1.1 of the ECMAScript specification, support HTML-like
comments in script contexts. Also per section 12.5, support hashbang
comments. This brings our parsing in-line with how browsers treat these
comment types.

Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for
reporting this issue.

Fixes #62196
Fixes #62395
Fixes CVE-2023-39318

Change-Id: Id512702c5de3ae46cf648e268cb10e1eb392a181
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1976593
Run-TryBot: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2014620
Reviewed-on: https://go-review.googlesource.com/c/go/+/526098
Run-TryBot: Cherry Mui <cherryyz@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
@cherrymui cherrymui changed the title security: fix CVE-2023-39318 html/template: improper handling of HTML-like comments within script contexts (CVE-2023-39318) Sep 6, 2023
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/526156 mentions this issue: html/template: support HTML-like comments in script contexts

@seankhliao seankhliao mentioned this issue Sep 23, 2023
Open
@bot-actions bot-actions bot mentioned this issue Sep 25, 2023
Closed
This was referenced Sep 25, 2023
Merged
Merged
Merged
rcrozean pushed a commit to rcrozean/go that referenced this issue Dec 7, 2023
@rolandshoemaker @rcrozean
html/template: support HTML-like comments in script contexts
0add31f 
# AWS EKS
Backported To: go-1.19.12-eks
Backported On: Wed, 06 Sep 2023
Backported By: rcrozean@amazon.com
Backported From: release-branch.go1.20
Source Commit: golang@023b542

# Original Information

Per Appendix B.1.1 of the ECMAScript specification, support HTML-like
comments in script contexts. Also per section 12.5, support hashbang
comments. This brings our parsing in-line with how browsers treat these
comment types.

Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for
reporting this issue.

Fixes golang#62196
Fixes golang#62395
Fixes CVE-2023-39318

Change-Id: Id512702c5de3ae46cf648e268cb10e1eb392a181
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1976593
Run-TryBot: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2014620
Reviewed-on: https://go-review.googlesource.com/c/go/+/526098
Run-TryBot: Cherry Mui <cherryyz@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
@golang golang locked and limited conversation to collaborators Oct 23, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done. release-blocker Security
Projects
None yet
Milestone
Go1.22
Development

No branches or pull requests
4 participants
@cagedmantis @rolandshoemaker @gopherbot and others