Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

html/template: improper handling of HTML-like comments within script contexts (CVE-2023-39318) [1.21 backport] #62396

Closed
gopherbot opened this issue Aug 31, 2023 · 2 comments
Closed

html/template: improper handling of HTML-like comments within script contexts (CVE-2023-39318) [1.21 backport] #62396

gopherbot opened this issue Aug 31, 2023 · 2 comments
Labels
CherryPickApproved Used during the release process for point releases FrozenDueToAge release-blocker Security
Milestone
Go1.21.1

Comments

@gopherbot
Copy link
Contributor

gopherbot commented Aug 31, 2023
edited by cherrymui
Loading

The html/template package did not properly handle HMTL-like ""
comment tokens, nor hashbang "#!" comment tokens, in <script> contexts. This may
cause the template parser to improperly interpret the contents of <script>
contexts, causing actions to be improperly escaped. This could be leveraged to
perform an XSS attack.

Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for reporting this
issue.

This is CVE-2023-39318 and Go issue https://go.dev/issue/62196.

@rolandshoemaker requested issue #62196 to be considered for backport to the next 1.21 minor release.

@gopherbot please open backport issues.
@gopherbot gopherbot added CherryPickCandidate Used during the release process for point releases Security labels Aug 31, 2023
@gopherbot gopherbot mentioned this issue Aug 31, 2023
Closed
@gopherbot gopherbot added this to the Go1.21.1 milestone Aug 31, 2023
@dmitshur dmitshur added release-blocker CherryPickApproved Used during the release process for point releases and removed CherryPickCandidate Used during the release process for point releases labels Aug 31, 2023
@gopherbot
Copy link
Contributor Author

Change https://go.dev/cl/526096 mentions this issue: [release-branch.go1.21] html/template: support HTML-like comments in script contexts

gopherbot pushed a commit that referenced this issue Sep 6, 2023
@rolandshoemaker @cherrymui
[release-branch.go1.21] html/template: support HTML-like comments in …
b0e1d3e 
…script contexts

Per Appendix B.1.1 of the ECMAScript specification, support HTML-like
comments in script contexts. Also per section 12.5, support hashbang
comments. This brings our parsing in-line with how browsers treat these
comment types.

Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for
reporting this issue.

Fixes #62196
Fixes #62396
Fixes CVE-2023-39318

Change-Id: Id512702c5de3ae46cf648e268cb10e1eb392a181
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1976593
Run-TryBot: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2014618
Reviewed-on: https://go-review.googlesource.com/c/go/+/526096
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Cherry Mui <cherryyz@google.com>
@gopherbot
Copy link
Contributor Author

Closed by merging b0e1d3e to release-branch.go1.21.

@cherrymui cherrymui changed the title security: fix CVE-2023-39318 [1.21 backport] html/template: improper handling of HTML-like comments within script contexts (CVE-2023-39318) [1.21 backport] Sep 6, 2023
@golang golang locked and limited conversation to collaborators Sep 5, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
CherryPickApproved Used during the release process for point releases FrozenDueToAge release-blocker Security
Projects
None yet
Milestone
Go1.21.1
Development

No branches or pull requests
2 participants
@dmitshur @gopherbot