html/template: improper handling of HTML-like comments within script contexts (CVE-2023-39318) [1.20 backport] #62395
Labels
CherryPickApproved
Used during the release process for point releases
FrozenDueToAge
release-blocker
Security
Milestone
Comments
gopherbot
added
CherryPickCandidate
dmitshur
added
release-blocker
CherryPickApproved
|
Change https://go.dev/cl/526098 mentions this issue: |
gopherbot
pushed a commit
that referenced
this issue
Sep 6, 2023
…script contexts Per Appendix B.1.1 of the ECMAScript specification, support HTML-like comments in script contexts. Also per section 12.5, support hashbang comments. This brings our parsing in-line with how browsers treat these comment types. Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for reporting this issue. Fixes #62196 Fixes #62395 Fixes CVE-2023-39318 Change-Id: Id512702c5de3ae46cf648e268cb10e1eb392a181 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1976593 Run-TryBot: Roland Shoemaker <bracewell@google.com> Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2014620 Reviewed-on: https://go-review.googlesource.com/c/go/+/526098 Run-TryBot: Cherry Mui <cherryyz@google.com> TryBot-Result: Gopher Robot <gobot@golang.org>
|
Closed by merging 023b542 to release-branch.go1.20. |
cherrymui
changed the title
rcrozean
pushed a commit
to rcrozean/go
that referenced
this issue
Dec 7, 2023
# AWS EKS Backported To: go-1.19.12-eks Backported On: Wed, 06 Sep 2023 Backported By: rcrozean@amazon.com Backported From: release-branch.go1.20 Source Commit: golang@023b542 # Original Information Per Appendix B.1.1 of the ECMAScript specification, support HTML-like comments in script contexts. Also per section 12.5, support hashbang comments. This brings our parsing in-line with how browsers treat these comment types. Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for reporting this issue. Fixes golang#62196 Fixes golang#62395 Fixes CVE-2023-39318 Change-Id: Id512702c5de3ae46cf648e268cb10e1eb392a181 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1976593 Run-TryBot: Roland Shoemaker <bracewell@google.com> Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2014620 Reviewed-on: https://go-review.googlesource.com/c/go/+/526098 Run-TryBot: Cherry Mui <cherryyz@google.com> TryBot-Result: Gopher Robot <gobot@golang.org>
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
The html/template package did not properly handle HMTL-like ""
comment tokens, nor hashbang "#!" comment tokens, in <script> contexts. This may
cause the template parser to improperly interpret the contents of <script>
contexts, causing actions to be improperly escaped. This could be leveraged to
perform an XSS attack.
Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for reporting this
issue.
This is CVE-2023-39318 and Go issue https://go.dev/issue/62196.
@rolandshoemaker requested issue #62196 to be considered for backport to the next 1.20 minor release.
The text was updated successfully, but these errors were encountered: