| Message ID | 20230929192133.14948-1-skulkarni@mvista.com |
|---|---|
| State | Accepted, archived |
| Delegated to: | Steve Sakoman |
| Headers | show |
| Series | [dunfell,v3] go: Update fix for CVE-2023-24538 & CVE-2023-39318 | expand |
Sorry, this patch doesn't apply: Applying: go: Update fix for CVE-2023-24538 & CVE-2023-39318 error: corrupt patch at line 478 error: could not build fake ancestor Patch failed at 0001 go: Update fix for CVE-2023-24538 & CVE-2023-39318 Steve On Fri, Sep 29, 2023 at 9:21 AM Shubham Kulkarni via lists.openembedded.org <skulkarni=mvista.com@lists.openembedded.org> wrote: > > From: Shubham Kulkarni <skulkarni@mvista.com> > > Add missing files in fix for CVE-2023-24538 & CVE-2023-39318 > > Upstream Link - > CVE-2023-24538: https://github.com/golang/go/commit/b1e3ecfa06b67014429a197ec5e134ce4303ad9b > CVE-2023-39318: https://github.com/golang/go/commit/023b542edf38e2a1f87fcefb9f75ff2f99401b4c > > Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> > --- > meta/recipes-devtools/go/go-1.14.inc | 5 +- > .../go/go-1.14/CVE-2023-24538-1.patch | 4 +- > .../go/go-1.14/CVE-2023-24538-2.patch | 447 ++++++++++++- > .../go/go-1.14/CVE-2023-24538_3.patch | 393 ++++++++++++ > .../go/go-1.14/CVE-2023-24538_4.patch | 497 +++++++++++++++ > .../go/go-1.14/CVE-2023-24538_5.patch | 585 ++++++++++++++++++ > ...3-24538-3.patch => CVE-2023-24538_6.patch} | 175 +++++- > .../go/go-1.14/CVE-2023-39318.patch | 38 +- > 8 files changed, 2124 insertions(+), 20 deletions(-) > create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-24538_3.patch > create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-24538_4.patch > create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-24538_5.patch > rename meta/recipes-devtools/go/go-1.14/{CVE-2023-24538-3.patch => CVE-2023-24538_6.patch} (53%) > > diff --git a/meta/recipes-devtools/go/go-1.14.inc b/meta/recipes-devtools/go/go-1.14.inc > index be63f64825..091b778de8 100644 > --- a/meta/recipes-devtools/go/go-1.14.inc > +++ b/meta/recipes-devtools/go/go-1.14.inc > @@ -60,7 +60,10 @@ SRC_URI += "\ > file://CVE-2023-24534.patch \ > file://CVE-2023-24538-1.patch \ > file://CVE-2023-24538-2.patch \ > - file://CVE-2023-24538-3.patch \ > + file://CVE-2023-24538_3.patch \ > + file://CVE-2023-24538_4.patch \ > + file://CVE-2023-24538_5.patch \ > + file://CVE-2023-24538_6.patch \ > file://CVE-2023-24539.patch \ > file://CVE-2023-24540.patch \ > file://CVE-2023-29405-1.patch \ > diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-1.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-1.patch > index eda26e5ff6..23c5075e41 100644 > --- a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-1.patch > +++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-1.patch > @@ -1,7 +1,7 @@ > From 8acd01094d9ee17f6e763a61e49a8a808b3a9ddb Mon Sep 17 00:00:00 2001 > From: Brad Fitzpatrick <bradfitz@golang.org> > Date: Mon, 2 Aug 2021 14:55:51 -0700 > -Subject: [PATCH 1/3] net/netip: add new IP address package > +Subject: [PATCH 1/6] net/netip: add new IP address package > > Co-authored-by: Alex Willmer <alex@moreati.org.uk> (GitHub @moreati) > Co-authored-by: Alexander Yastrebov <yastrebov.alex@gmail.com> > @@ -31,7 +31,7 @@ Trust: Brad Fitzpatrick <bradfitz@golang.org> > > Dependency Patch #1 > > -Upstream-Status: Backport [https://github.com/golang/go/commit/a59e33224e42d60a97fa720a45e1b74eb6aaa3d0] > +Upstream-Status: Backport from https://github.com/golang/go/commit/a59e33224e42d60a97fa720a45e1b74eb6aaa3d0 > CVE: CVE-2023-24538 > Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> > --- > diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch > index 5036f2890b..3840617a32 100644 > --- a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch > +++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch > @@ -1,7 +1,7 @@ > From 6fc21505614f36178df0dad7034b6b8e3f7588d5 Mon Sep 17 00:00:00 2001 > From: empijei <robclap8@gmail.com> > Date: Fri, 27 Mar 2020 19:27:55 +0100 > -Subject: [PATCH 2/3] html/template,text/template: switch to Unicode escapes > +Subject: [PATCH 2/6] html/template,text/template: switch to Unicode escapes > for JSON compatibility > MIME-Version: 1.0 > Content-Type: text/plain; charset=UTF-8 > @@ -31,10 +31,238 @@ Upstream-Status: Backport from https://github.com/golang/go/commit/d4d298040d072 > CVE: CVE-2023-24538 > Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> > --- > - src/html/template/js.go | 70 +++++++++++++++++++++++++++------------------- > - src/text/template/funcs.go | 8 +++--- > - 2 files changed, 46 insertions(+), 32 deletions(-) > + src/html/template/content_test.go | 70 +++++++++++++++++++------------------- > + src/html/template/escape_test.go | 6 ++-- > + src/html/template/example_test.go | 6 ++-- > + src/html/template/js.go | 70 +++++++++++++++++++++++--------------- > + src/html/template/js_test.go | 68 ++++++++++++++++++------------------ > + src/html/template/template_test.go | 39 +++++++++++++++++++++ > + src/text/template/exec_test.go | 6 ++-- > + src/text/template/funcs.go | 8 ++--- > + 8 files changed, 163 insertions(+), 110 deletions(-) > > +diff --git a/src/html/template/content_test.go b/src/html/template/content_test.go > +index 72d56f5..bd86527 100644 > +--- a/src/html/template/content_test.go > ++++ b/src/html/template/content_test.go > +@@ -18,7 +18,7 @@ func TestTypedContent(t *testing.T) { > + HTML(`Hello, <b>World</b> &tc!`), > + HTMLAttr(` dir="ltr"`), > + JS(`c && alert("Hello, World!");`), > +- JSStr(`Hello, World & O'Reilly\x21`), > ++ JSStr(`Hello, World & O'Reilly\u0021`), > + URL(`greeting=H%69,&addressee=(World)`), > + Srcset(`greeting=H%69,&addressee=(World) 2x, https://golang.org/favicon.ico 500.5w`), > + URL(`,foo/,`), > +@@ -70,7 +70,7 @@ func TestTypedContent(t *testing.T) { > + `Hello, <b>World</b> &tc!`, > + ` dir="ltr"`, > + `c && alert("Hello, World!");`, > +- `Hello, World & O'Reilly\x21`, > ++ `Hello, World & O'Reilly\u0021`, > + `greeting=H%69,&addressee=(World)`, > + `greeting=H%69,&addressee=(World) 2x, https://golang.org/favicon.ico 500.5w`, > + `,foo/,`, > +@@ -100,7 +100,7 @@ func TestTypedContent(t *testing.T) { > + `Hello, World &tc!`, > + ` dir="ltr"`, > + `c && alert("Hello, World!");`, > +- `Hello, World & O'Reilly\x21`, > ++ `Hello, World & O'Reilly\u0021`, > + `greeting=H%69,&addressee=(World)`, > + `greeting=H%69,&addressee=(World) 2x, https://golang.org/favicon.ico 500.5w`, > + `,foo/,`, > +@@ -115,7 +115,7 @@ func TestTypedContent(t *testing.T) { > + `Hello, World &tc!`, > + ` dir="ltr"`, > + `c && alert("Hello, World!");`, > +- `Hello, World & O'Reilly\x21`, > ++ `Hello, World & O'Reilly\u0021`, > + `greeting=H%69,&addressee=(World)`, > + `greeting=H%69,&addressee=(World) 2x, https://golang.org/favicon.ico 500.5w`, > + `,foo/,`, > +@@ -130,7 +130,7 @@ func TestTypedContent(t *testing.T) { > + `Hello, <b>World</b> &tc!`, > + ` dir="ltr"`, > + `c && alert("Hello, World!");`, > +- `Hello, World & O'Reilly\x21`, > ++ `Hello, World & O'Reilly\u0021`, > + `greeting=H%69,&addressee=(World)`, > + `greeting=H%69,&addressee=(World) 2x, https://golang.org/favicon.ico 500.5w`, > + `,foo/,`, > +@@ -146,7 +146,7 @@ func TestTypedContent(t *testing.T) { > + // Not escaped. > + `c && alert("Hello, World!");`, > + // Escape sequence not over-escaped. > +- `"Hello, World & O'Reilly\x21"`, > ++ `"Hello, World & O'Reilly\u0021"`, > + `"greeting=H%69,\u0026addressee=(World)"`, > + `"greeting=H%69,\u0026addressee=(World) 2x, https://golang.org/favicon.ico 500.5w"`, > + `",foo/,"`, > +@@ -162,7 +162,7 @@ func TestTypedContent(t *testing.T) { > + // Not JS escaped but HTML escaped. > + `c && alert("Hello, World!");`, > + // Escape sequence not over-escaped. > +- `"Hello, World & O'Reilly\x21"`, > ++ `"Hello, World & O'Reilly\u0021"`, > + `"greeting=H%69,\u0026addressee=(World)"`, > + `"greeting=H%69,\u0026addressee=(World) 2x, https://golang.org/favicon.ico 500.5w"`, > + `",foo/,"`, > +@@ -171,30 +171,30 @@ func TestTypedContent(t *testing.T) { > + { > + `<script>alert("{{.}}")</script>`, > + []string{ > +- `\x3cb\x3e \x22foo%\x22 O\x27Reilly \x26bar;`, > +- `a[href =~ \x22\/\/example.com\x22]#foo`, > +- `Hello, \x3cb\x3eWorld\x3c\/b\x3e \x26amp;tc!`, > +- ` dir=\x22ltr\x22`, > +- `c \x26\x26 alert(\x22Hello, World!\x22);`, > ++ `\u003cb\u003e \u0022foo%\u0022 O\u0027Reilly \u0026bar;`, > ++ `a[href =~ \u0022\/\/example.com\u0022]#foo`, > ++ `Hello, \u003cb\u003eWorld\u003c\/b\u003e \u0026amp;tc!`, > ++ ` dir=\u0022ltr\u0022`, > ++ `c \u0026\u0026 alert(\u0022Hello, World!\u0022);`, > + // Escape sequence not over-escaped. > +- `Hello, World \x26 O\x27Reilly\x21`, > +- `greeting=H%69,\x26addressee=(World)`, > +- `greeting=H%69,\x26addressee=(World) 2x, https:\/\/golang.org\/favicon.ico 500.5w`, > ++ `Hello, World \u0026 O\u0027Reilly\u0021`, > ++ `greeting=H%69,\u0026addressee=(World)`, > ++ `greeting=H%69,\u0026addressee=(World) 2x, https:\/\/golang.org\/favicon.ico 500.5w`, > + `,foo\/,`, > + }, > + }, > + { > + `<script type="text/javascript">alert("{{.}}")</script>`, > + []string{ > +- `\x3cb\x3e \x22foo%\x22 O\x27Reilly \x26bar;`, > +- `a[href =~ \x22\/\/example.com\x22]#foo`, > +- `Hello, \x3cb\x3eWorld\x3c\/b\x3e \x26amp;tc!`, > +- ` dir=\x22ltr\x22`, > +- `c \x26\x26 alert(\x22Hello, World!\x22);`, > ++ `\u003cb\u003e \u0022foo%\u0022 O\u0027Reilly \u0026bar;`, > ++ `a[href =~ \u0022\/\/example.com\u0022]#foo`, > ++ `Hello, \u003cb\u003eWorld\u003c\/b\u003e \u0026amp;tc!`, > ++ ` dir=\u0022ltr\u0022`, > ++ `c \u0026\u0026 alert(\u0022Hello, World!\u0022);`, > + // Escape sequence not over-escaped. > +- `Hello, World \x26 O\x27Reilly\x21`, > +- `greeting=H%69,\x26addressee=(World)`, > +- `greeting=H%69,\x26addressee=(World) 2x, https:\/\/golang.org\/favicon.ico 500.5w`, > ++ `Hello, World \u0026 O\u0027Reilly\u0021`, > ++ `greeting=H%69,\u0026addressee=(World)`, > ++ `greeting=H%69,\u0026addressee=(World) 2x, https:\/\/golang.org\/favicon.ico 500.5w`, > + `,foo\/,`, > + }, > + }, > +@@ -208,7 +208,7 @@ func TestTypedContent(t *testing.T) { > + // Not escaped. > + `c && alert("Hello, World!");`, > + // Escape sequence not over-escaped. > +- `"Hello, World & O'Reilly\x21"`, > ++ `"Hello, World & O'Reilly\u0021"`, > + `"greeting=H%69,\u0026addressee=(World)"`, > + `"greeting=H%69,\u0026addressee=(World) 2x, https://golang.org/favicon.ico 500.5w"`, > + `",foo/,"`, > +@@ -224,7 +224,7 @@ func TestTypedContent(t *testing.T) { > + `Hello, <b>World</b> &tc!`, > + ` dir="ltr"`, > + `c && alert("Hello, World!");`, > +- `Hello, World & O'Reilly\x21`, > ++ `Hello, World & O'Reilly\u0021`, > + `greeting=H%69,&addressee=(World)`, > + `greeting=H%69,&addressee=(World) 2x, https://golang.org/favicon.ico 500.5w`, > + `,foo/,`, > +@@ -233,15 +233,15 @@ func TestTypedContent(t *testing.T) { > + { > + `<button onclick='alert("{{.}}")'>`, > + []string{ > +- `\x3cb\x3e \x22foo%\x22 O\x27Reilly \x26bar;`, > +- `a[href =~ \x22\/\/example.com\x22]#foo`, > +- `Hello, \x3cb\x3eWorld\x3c\/b\x3e \x26amp;tc!`, > +- ` dir=\x22ltr\x22`, > +- `c \x26\x26 alert(\x22Hello, World!\x22);`, > ++ `\u003cb\u003e \u0022foo%\u0022 O\u0027Reilly \u0026bar;`, > ++ `a[href =~ \u0022\/\/example.com\u0022]#foo`, > ++ `Hello, \u003cb\u003eWorld\u003c\/b\u003e \u0026amp;tc!`, > ++ ` dir=\u0022ltr\u0022`, > ++ `c \u0026\u0026 alert(\u0022Hello, World!\u0022);`, > + // Escape sequence not over-escaped. > +- `Hello, World \x26 O\x27Reilly\x21`, > +- `greeting=H%69,\x26addressee=(World)`, > +- `greeting=H%69,\x26addressee=(World) 2x, https:\/\/golang.org\/favicon.ico 500.5w`, > ++ `Hello, World \u0026 O\u0027Reilly\u0021`, > ++ `greeting=H%69,\u0026addressee=(World)`, > ++ `greeting=H%69,\u0026addressee=(World) 2x, https:\/\/golang.org\/favicon.ico 500.5w`, > + `,foo\/,`, > + }, > + }, > +@@ -253,7 +253,7 @@ func TestTypedContent(t *testing.T) { > + `Hello%2c%20%3cb%3eWorld%3c%2fb%3e%20%26amp%3btc%21`, > + `%20dir%3d%22ltr%22`, > + `c%20%26%26%20alert%28%22Hello%2c%20World%21%22%29%3b`, > +- `Hello%2c%20World%20%26%20O%27Reilly%5cx21`, > ++ `Hello%2c%20World%20%26%20O%27Reilly%5cu0021`, > + // Quotes and parens are escaped but %69 is not over-escaped. HTML escaping is done. > + `greeting=H%69,&addressee=%28World%29`, > + `greeting%3dH%2569%2c%26addressee%3d%28World%29%202x%2c%20https%3a%2f%2fgolang.org%2ffavicon.ico%20500.5w`, > +@@ -268,7 +268,7 @@ func TestTypedContent(t *testing.T) { > + `Hello%2c%20%3cb%3eWorld%3c%2fb%3e%20%26amp%3btc%21`, > + `%20dir%3d%22ltr%22`, > + `c%20%26%26%20alert%28%22Hello%2c%20World%21%22%29%3b`, > +- `Hello%2c%20World%20%26%20O%27Reilly%5cx21`, > ++ `Hello%2c%20World%20%26%20O%27Reilly%5cu0021`, > + // Quotes and parens are escaped but %69 is not over-escaped. HTML escaping is not done. > + `greeting=H%69,&addressee=%28World%29`, > + `greeting%3dH%2569%2c%26addressee%3d%28World%29%202x%2c%20https%3a%2f%2fgolang.org%2ffavicon.ico%20500.5w`, > +diff --git a/src/html/template/escape_test.go b/src/html/template/escape_test.go > +index e72a9ba..c709660 100644 > +--- a/src/html/template/escape_test.go > ++++ b/src/html/template/escape_test.go > +@@ -238,7 +238,7 @@ func TestEscape(t *testing.T) { > + { > + "jsStr", > + "<button onclick='alert("{{.H}}")'>", > +- `<button onclick='alert("\x3cHello\x3e")'>`, > ++ `<button onclick='alert("\u003cHello\u003e")'>`, > + }, > + { > + "badMarshaler", > +@@ -259,7 +259,7 @@ func TestEscape(t *testing.T) { > + { > + "jsRe", > + `<button onclick='alert(/{{"foo+bar"}}/.test(""))'>`, > +- `<button onclick='alert(/foo\x2bbar/.test(""))'>`, > ++ `<button onclick='alert(/foo\u002bbar/.test(""))'>`, > + }, > + { > + "jsReBlank", > +@@ -825,7 +825,7 @@ func TestEscapeSet(t *testing.T) { > + "main": `<button onclick="title='{{template "helper"}}'; ...">{{template "helper"}}</button>`, > + "helper": `{{11}} of {{"<100>"}}`, > + }, > +- `<button onclick="title='11 of \x3c100\x3e'; ...">11 of <100></button>`, > ++ `<button onclick="title='11 of \u003c100\u003e'; ...">11 of <100></button>`, > + }, > + // A non-recursive template that ends in a different context. > + // helper starts in jsCtxRegexp and ends in jsCtxDivOp. > +diff --git a/src/html/template/example_test.go b/src/html/template/example_test.go > +index 9d965f1..6cf936f 100644 > +--- a/src/html/template/example_test.go > ++++ b/src/html/template/example_test.go > +@@ -116,9 +116,9 @@ func Example_escape() { > + // "Fran & Freddie's Diner" <tasty@example.com> > + // "Fran & Freddie's Diner" <tasty@example.com> > + // "Fran & Freddie's Diner"32<tasty@example.com> > +- // \"Fran \x26 Freddie\'s Diner\" \x3Ctasty@example.com\x3E > +- // \"Fran \x26 Freddie\'s Diner\" \x3Ctasty@example.com\x3E > +- // \"Fran \x26 Freddie\'s Diner\"32\x3Ctasty@example.com\x3E > ++ // \"Fran \u0026 Freddie\'s Diner\" \u003Ctasty@example.com\u003E > ++ // \"Fran \u0026 Freddie\'s Diner\" \u003Ctasty@example.com\u003E > ++ // \"Fran \u0026 Freddie\'s Diner\"32\u003Ctasty@example.com\u003E > + // %22Fran+%26+Freddie%27s+Diner%2232%3Ctasty%40example.com%3E > + > + } > diff --git a/src/html/template/js.go b/src/html/template/js.go > index 0e91458..ea9c183 100644 > --- a/src/html/template/js.go > @@ -173,6 +401,217 @@ index 0e91458..ea9c183 100644 > '?': `\?`, > '[': `\[`, > '\\': `\\`, > +diff --git a/src/html/template/js_test.go b/src/html/template/js_test.go > +index 075adaa..d7ee47b 100644 > +--- a/src/html/template/js_test.go > ++++ b/src/html/template/js_test.go > +@@ -137,7 +137,7 @@ func TestJSValEscaper(t *testing.T) { > + {"foo", `"foo"`}, > + // Newlines. > + {"\r\n\u2028\u2029", `"\r\n\u2028\u2029"`}, > +- // "\v" == "v" on IE 6 so use "\x0b" instead. > ++ // "\v" == "v" on IE 6 so use "\u000b" instead. > + {"\t\x0b", `"\t\u000b"`}, > + {struct{ X, Y int }{1, 2}, `{"X":1,"Y":2}`}, > + {[]interface{}{}, "[]"}, > +@@ -173,7 +173,7 @@ func TestJSStrEscaper(t *testing.T) { > + }{ > + {"", ``}, > + {"foo", `foo`}, > +- {"\u0000", `\0`}, > ++ {"\u0000", `\u0000`}, > + {"\t", `\t`}, > + {"\n", `\n`}, > + {"\r", `\r`}, > +@@ -183,14 +183,14 @@ func TestJSStrEscaper(t *testing.T) { > + {"\\n", `\\n`}, > + {"foo\r\nbar", `foo\r\nbar`}, > + // Preserve attribute boundaries. > +- {`"`, `\x22`}, > +- {`'`, `\x27`}, > ++ {`"`, `\u0022`}, > ++ {`'`, `\u0027`}, > + // Allow embedding in HTML without further escaping. > +- {`&`, `\x26amp;`}, > ++ {`&`, `\u0026amp;`}, > + // Prevent breaking out of text node and element boundaries. > +- {"</script>", `\x3c\/script\x3e`}, > +- {"<![CDATA[", `\x3c![CDATA[`}, > +- {"]]>", `]]\x3e`}, > ++ {"</script>", `\u003c\/script\u003e`}, > ++ {"<![CDATA[", `\u003c![CDATA[`}, > ++ {"]]>", `]]\u003e`}, > + // https://dev.w3.org/html5/markup/aria/syntax.html#escaping-text-span > + // "The text in style, script, title, and textarea elements > + // must not have an escaping text span start that is not > +@@ -201,11 +201,11 @@ func TestJSStrEscaper(t *testing.T) { > + // allow regular text content to be interpreted as script > + // allowing script execution via a combination of a JS string > + // injection followed by an HTML text injection. > +- {"<!--", `\x3c!--`}, > +- {"-->", `--\x3e`}, > ++ {"<!--", `\u003c!--`}, > ++ {"-->", `--\u003e`}, > + // From https://code.google.com/p/doctype/wiki/ArticleUtf7 > + {"+ADw-script+AD4-alert(1)+ADw-/script+AD4-", > +- `\x2bADw-script\x2bAD4-alert(1)\x2bADw-\/script\x2bAD4-`, > ++ `\u002bADw-script\u002bAD4-alert(1)\u002bADw-\/script\u002bAD4-`, > + }, > + // Invalid UTF-8 sequence > + {"foo\xA0bar", "foo\xA0bar"}, > +@@ -228,7 +228,7 @@ func TestJSRegexpEscaper(t *testing.T) { > + }{ > + {"", `(?:)`}, > + {"foo", `foo`}, > +- {"\u0000", `\0`}, > ++ {"\u0000", `\u0000`}, > + {"\t", `\t`}, > + {"\n", `\n`}, > + {"\r", `\r`}, > +@@ -238,19 +238,19 @@ func TestJSRegexpEscaper(t *testing.T) { > + {"\\n", `\\n`}, > + {"foo\r\nbar", `foo\r\nbar`}, > + // Preserve attribute boundaries. > +- {`"`, `\x22`}, > +- {`'`, `\x27`}, > ++ {`"`, `\u0022`}, > ++ {`'`, `\u0027`}, > + // Allow embedding in HTML without further escaping. > +- {`&`, `\x26amp;`}, > ++ {`&`, `\u0026amp;`}, > + // Prevent breaking out of text node and element boundaries. > +- {"</script>", `\x3c\/script\x3e`}, > +- {"<![CDATA[", `\x3c!\[CDATA\[`}, > +- {"]]>", `\]\]\x3e`}, > ++ {"</script>", `\u003c\/script\u003e`}, > ++ {"<![CDATA[", `\u003c!\[CDATA\[`}, > ++ {"]]>", `\]\]\u003e`}, > + // Escaping text spans. > +- {"<!--", `\x3c!\-\-`}, > +- {"-->", `\-\-\x3e`}, > ++ {"<!--", `\u003c!\-\-`}, > ++ {"-->", `\-\-\u003e`}, > + {"*", `\*`}, > +- {"+", `\x2b`}, > ++ {"+", `\u002b`}, > + {"?", `\?`}, > + {"[](){}", `\[\]\(\)\{\}`}, > + {"$foo|x.y", `\$foo\|x\.y`}, > +@@ -284,27 +284,27 @@ func TestEscapersOnLower7AndSelectHighCodepoints(t *testing.T) { > + { > + "jsStrEscaper", > + jsStrEscaper, > +- "\\0\x01\x02\x03\x04\x05\x06\x07" + > +- "\x08\\t\\n\\x0b\\f\\r\x0E\x0F" + > +- "\x10\x11\x12\x13\x14\x15\x16\x17" + > +- "\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" + > +- ` !\x22#$%\x26\x27()*\x2b,-.\/` + > +- `0123456789:;\x3c=\x3e?` + > ++ `\u0000\u0001\u0002\u0003\u0004\u0005\u0006\u0007` + > ++ `\u0008\t\n\u000b\f\r\u000e\u000f` + > ++ `\u0010\u0011\u0012\u0013\u0014\u0015\u0016\u0017` + > ++ `\u0018\u0019\u001a\u001b\u001c\u001d\u001e\u001f` + > ++ ` !\u0022#$%\u0026\u0027()*\u002b,-.\/` + > ++ `0123456789:;\u003c=\u003e?` + > + `@ABCDEFGHIJKLMNO` + > + `PQRSTUVWXYZ[\\]^_` + > + "`abcdefghijklmno" + > +- "pqrstuvwxyz{|}~\x7f" + > ++ "pqrstuvwxyz{|}~\u007f" + > + "\u00A0\u0100\\u2028\\u2029\ufeff\U0001D11E", > + }, > + { > + "jsRegexpEscaper", > + jsRegexpEscaper, > +- "\\0\x01\x02\x03\x04\x05\x06\x07" + > +- "\x08\\t\\n\\x0b\\f\\r\x0E\x0F" + > +- "\x10\x11\x12\x13\x14\x15\x16\x17" + > +- "\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" + > +- ` !\x22#\$%\x26\x27\(\)\*\x2b,\-\.\/` + > +- `0123456789:;\x3c=\x3e\?` + > ++ `\u0000\u0001\u0002\u0003\u0004\u0005\u0006\u0007` + > ++ `\u0008\t\n\u000b\f\r\u000e\u000f` + > ++ `\u0010\u0011\u0012\u0013\u0014\u0015\u0016\u0017` + > ++ `\u0018\u0019\u001a\u001b\u001c\u001d\u001e\u001f` + > ++ ` !\u0022#\$%\u0026\u0027\(\)\*\u002b,\-\.\/` + > ++ `0123456789:;\u003c=\u003e\?` + > + `@ABCDEFGHIJKLMNO` + > + `PQRSTUVWXYZ\[\\\]\^_` + > + "`abcdefghijklmno" + > +diff --git a/src/html/template/template_test.go b/src/html/template/template_test.go > +index 13e6ba4..86bd4db 100644 > +--- a/src/html/template/template_test.go > ++++ b/src/html/template/template_test.go > +@@ -6,6 +6,7 @@ package template_test > + > + import ( > + "bytes" > ++ "encoding/json" > + . "html/template" > + "strings" > + "testing" > +@@ -121,6 +122,44 @@ func TestNumbers(t *testing.T) { > + c.mustExecute(c.root, nil, "12.34 7.5") > + } > + > ++func TestStringsInScriptsWithJsonContentTypeAreCorrectlyEscaped(t *testing.T) { > ++ // See #33671 and #37634 for more context on this. > ++ tests := []struct{ name, in string }{ > ++ {"empty", ""}, > ++ {"invalid", string(rune(-1))}, > ++ {"null", "\u0000"}, > ++ {"unit separator", "\u001F"}, > ++ {"tab", "\t"}, > ++ {"gt and lt", "<>"}, > ++ {"quotes", `'"`}, > ++ {"ASCII letters", "ASCII letters"}, > ++ {"Unicode", "ʕ⊙ϖ⊙ʔ"}, > ++ {"Pizza", "
Apologies Steve, I will look into the issue and send a new patch for Dunfell. It worked for me on my machine. Maybe something I missed. Thanks, Shubham Kulkarni On Sat, Sep 30, 2023 at 8:02 AM Steve Sakoman <steve@sakoman.com> wrote: > Sorry, this patch doesn't apply: > > Applying: go: Update fix for CVE-2023-24538 & CVE-2023-39318 > error: corrupt patch at line 478 > error: could not build fake ancestor > Patch failed at 0001 go: Update fix for CVE-2023-24538 & CVE-2023-39318 > > Steve > > On Fri, Sep 29, 2023 at 9:21 AM Shubham Kulkarni via > lists.openembedded.org <skulkarni=mvista.com@lists.openembedded.org> > wrote: > > > > From: Shubham Kulkarni <skulkarni@mvista.com> > > > > Add missing files in fix for CVE-2023-24538 & CVE-2023-39318 > > > > Upstream Link - > > CVE-2023-24538: > https://github.com/golang/go/commit/b1e3ecfa06b67014429a197ec5e134ce4303ad9b > > CVE-2023-39318: > https://github.com/golang/go/commit/023b542edf38e2a1f87fcefb9f75ff2f99401b4c > > > > Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> > > --- > > meta/recipes-devtools/go/go-1.14.inc | 5 +- > > .../go/go-1.14/CVE-2023-24538-1.patch | 4 +- > > .../go/go-1.14/CVE-2023-24538-2.patch | 447 ++++++++++++- > > .../go/go-1.14/CVE-2023-24538_3.patch | 393 ++++++++++++ > > .../go/go-1.14/CVE-2023-24538_4.patch | 497 +++++++++++++++ > > .../go/go-1.14/CVE-2023-24538_5.patch | 585 ++++++++++++++++++ > > ...3-24538-3.patch => CVE-2023-24538_6.patch} | 175 +++++- > > .../go/go-1.14/CVE-2023-39318.patch | 38 +- > > 8 files changed, 2124 insertions(+), 20 deletions(-) > > create mode 100644 > meta/recipes-devtools/go/go-1.14/CVE-2023-24538_3.patch > > create mode 100644 > meta/recipes-devtools/go/go-1.14/CVE-2023-24538_4.patch > > create mode 100644 > meta/recipes-devtools/go/go-1.14/CVE-2023-24538_5.patch > > rename meta/recipes-devtools/go/go-1.14/{CVE-2023-24538-3.patch => > CVE-2023-24538_6.patch} (53%) > > > > diff --git a/meta/recipes-devtools/go/go-1.14.inc > b/meta/recipes-devtools/go/go-1.14.inc > > index be63f64825..091b778de8 100644 > > --- a/meta/recipes-devtools/go/go-1.14.inc > > +++ b/meta/recipes-devtools/go/go-1.14.inc > > @@ -60,7 +60,10 @@ SRC_URI += "\ > > file://CVE-2023-24534.patch \ > > file://CVE-2023-24538-1.patch \ > > file://CVE-2023-24538-2.patch \ > > - file://CVE-2023-24538-3.patch \ > > + file://CVE-2023-24538_3.patch \ > > + file://CVE-2023-24538_4.patch \ > > + file://CVE-2023-24538_5.patch \ > > + file://CVE-2023-24538_6.patch \ > > file://CVE-2023-24539.patch \ > > file://CVE-2023-24540.patch \ > > file://CVE-2023-29405-1.patch \ > > diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-1.patch > b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-1.patch > > index eda26e5ff6..23c5075e41 100644 > > --- a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-1.patch > > +++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-1.patch > > @@ -1,7 +1,7 @@ > > From 8acd01094d9ee17f6e763a61e49a8a808b3a9ddb Mon Sep 17 00:00:00 2001 > > From: Brad Fitzpatrick <bradfitz@golang.org> > > Date: Mon, 2 Aug 2021 14:55:51 -0700 > > -Subject: [PATCH 1/3] net/netip: add new IP address package > > +Subject: [PATCH 1/6] net/netip: add new IP address package > > > > Co-authored-by: Alex Willmer <alex@moreati.org.uk> (GitHub @moreati) > > Co-authored-by: Alexander Yastrebov <yastrebov.alex@gmail.com> > > @@ -31,7 +31,7 @@ Trust: Brad Fitzpatrick <bradfitz@golang.org> > > > > Dependency Patch #1 > > > > -Upstream-Status: Backport [ > https://github.com/golang/go/commit/a59e33224e42d60a97fa720a45e1b74eb6aaa3d0 > ] > > +Upstream-Status: Backport from > https://github.com/golang/go/commit/a59e33224e42d60a97fa720a45e1b74eb6aaa3d0 > > CVE: CVE-2023-24538 > > Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> > > --- > > diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch > b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch > > index 5036f2890b..3840617a32 100644 > > --- a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch > > +++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch > > @@ -1,7 +1,7 @@ > > From 6fc21505614f36178df0dad7034b6b8e3f7588d5 Mon Sep 17 00:00:00 2001 > > From: empijei <robclap8@gmail.com> > > Date: Fri, 27 Mar 2020 19:27:55 +0100 > > -Subject: [PATCH 2/3] html/template,text/template: switch to Unicode > escapes > > +Subject: [PATCH 2/6] html/template,text/template: switch to Unicode > escapes > > for JSON compatibility > > MIME-Version: 1.0 > > Content-Type: text/plain; charset=UTF-8 > > @@ -31,10 +31,238 @@ Upstream-Status: Backport from > https://github.com/golang/go/commit/d4d298040d072 > > CVE: CVE-2023-24538 > > Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> > > --- > > - src/html/template/js.go | 70 > +++++++++++++++++++++++++++------------------- > > - src/text/template/funcs.go | 8 +++--- > > - 2 files changed, 46 insertions(+), 32 deletions(-) > > + src/html/template/content_test.go | 70 > +++++++++++++++++++------------------- > > + src/html/template/escape_test.go | 6 ++-- > > + src/html/template/example_test.go | 6 ++-- > > + src/html/template/js.go | 70 > +++++++++++++++++++++++--------------- > > + src/html/template/js_test.go | 68 > ++++++++++++++++++------------------ > > + src/html/template/template_test.go | 39 +++++++++++++++++++++ > > + src/text/template/exec_test.go | 6 ++-- > > + src/text/template/funcs.go | 8 ++--- > > + 8 files changed, 163 insertions(+), 110 deletions(-) > > > > +diff --git a/src/html/template/content_test.go > b/src/html/template/content_test.go > > +index 72d56f5..bd86527 100644 > > +--- a/src/html/template/content_test.go > > ++++ b/src/html/template/content_test.go > > +@@ -18,7 +18,7 @@ func TestTypedContent(t *testing.T) { > > + HTML(`Hello, <b>World</b> &tc!`), > > + HTMLAttr(` dir="ltr"`), > > + JS(`c && alert("Hello, World!");`), > > +- JSStr(`Hello, World & O'Reilly\x21`), > > ++ JSStr(`Hello, World & O'Reilly\u0021`), > > + URL(`greeting=H%69,&addressee=(World)`), > > + Srcset(`greeting=H%69,&addressee=(World) 2x, > https://golang.org/favicon.ico 500.5w`), > > + URL(`,foo/,`), > > +@@ -70,7 +70,7 @@ func TestTypedContent(t *testing.T) { > > + `Hello, <b>World</b> &tc!`, > > + ` dir="ltr"`, > > + `c && alert("Hello, > World!");`, > > +- `Hello, World & O'Reilly\x21`, > > ++ `Hello, World & O'Reilly\u0021`, > > + `greeting=H%69,&addressee=(World)`, > > + `greeting=H%69,&addressee=(World) > 2x, https://golang.org/favicon.ico 500.5w`, > > + `,foo/,`, > > +@@ -100,7 +100,7 @@ func TestTypedContent(t *testing.T) { > > + `Hello, World &tc!`, > > + ` dir="ltr"`, > > + > `c && alert("Hello, World!");`, > > +- > `Hello, World & O'Reilly\x21`, > > ++ > `Hello, World & O'Reilly\u0021`, > > + > `greeting=H%69,&addressee=(World)`, > > + > `greeting=H%69,&addressee=(World) 2x,  > https://golang.org/favicon.ico 500.5w` > <https://golang.org/favicon.ico 500.5w>, > > + `,foo/,`, > > +@@ -115,7 +115,7 @@ func TestTypedContent(t *testing.T) { > > + `Hello, World &tc!`, > > + ` dir="ltr"`, > > + `c && alert("Hello, > World!");`, > > +- `Hello, World & O'Reilly\x21`, > > ++ `Hello, World & O'Reilly\u0021`, > > + `greeting=H%69,&addressee=(World)`, > > + `greeting=H%69,&addressee=(World) > 2x, https://golang.org/favicon.ico 500.5w`, > > + `,foo/,`, > > +@@ -130,7 +130,7 @@ func TestTypedContent(t *testing.T) { > > + `Hello, <b>World</b> > &tc!`, > > + ` dir="ltr"`, > > + `c && alert("Hello, > World!");`, > > +- `Hello, World & O'Reilly\x21`, > > ++ `Hello, World & O'Reilly\u0021`, > > + `greeting=H%69,&addressee=(World)`, > > + `greeting=H%69,&addressee=(World) > 2x, https://golang.org/favicon.ico 500.5w`, > > + `,foo/,`, > > +@@ -146,7 +146,7 @@ func TestTypedContent(t *testing.T) { > > + // Not escaped. > > + `c && alert("Hello, World!");`, > > + // Escape sequence not over-escaped. > > +- `"Hello, World & O'Reilly\x21"`, > > ++ `"Hello, World & O'Reilly\u0021"`, > > + > `"greeting=H%69,\u0026addressee=(World)"`, > > + `"greeting=H%69,\u0026addressee=(World) > 2x, https://golang.org/favicon.ico 500.5w"`, > > + `",foo/,"`, > > +@@ -162,7 +162,7 @@ func TestTypedContent(t *testing.T) { > > + // Not JS escaped but HTML escaped. > > + `c && alert("Hello, > World!");`, > > + // Escape sequence not over-escaped. > > +- `"Hello, World & > O'Reilly\x21"`, > > ++ `"Hello, World & > O'Reilly\u0021"`, > > + > `"greeting=H%69,\u0026addressee=(World)"`, > > + > `"greeting=H%69,\u0026addressee=(World) 2x, > https://golang.org/favicon.ico 500.5w"`, > > + `",foo/,"`, > > +@@ -171,30 +171,30 @@ func TestTypedContent(t *testing.T) { > > + { > > + `<script>alert("{{.}}")</script>`, > > + []string{ > > +- `\x3cb\x3e \x22foo%\x22 O\x27Reilly > \x26bar;`, > > +- `a[href =~ \x22\/\/example.com > \x22]#foo`, > > +- `Hello, \x3cb\x3eWorld\x3c\/b\x3e > \x26amp;tc!`, > > +- ` dir=\x22ltr\x22`, > > +- `c \x26\x26 alert(\x22Hello, > World!\x22);`, > > ++ `\u003cb\u003e \u0022foo%\u0022 > O\u0027Reilly \u0026bar;`, > > ++ `a[href =~ \u0022\/\/example.com > \u0022]#foo`, > > ++ `Hello, > \u003cb\u003eWorld\u003c\/b\u003e \u0026amp;tc!`, > > ++ ` dir=\u0022ltr\u0022`, > > ++ `c \u0026\u0026 alert(\u0022Hello, > World!\u0022);`, > > + // Escape sequence not over-escaped. > > +- `Hello, World \x26 O\x27Reilly\x21`, > > +- `greeting=H%69,\x26addressee=(World)`, > > +- `greeting=H%69,\x26addressee=(World) 2x, > https:\/\/golang.org\/favicon.ico 500.5w`, > > ++ `Hello, World \u0026 > O\u0027Reilly\u0021`, > > ++ `greeting=H%69,\u0026addressee=(World)`, > > ++ `greeting=H%69,\u0026addressee=(World) > 2x, https:\/\/golang.org\/favicon.ico 500.5w`, > > + `,foo\/,`, > > + }, > > + }, > > + { > > + `<script > type="text/javascript">alert("{{.}}")</script>`, > > + []string{ > > +- `\x3cb\x3e \x22foo%\x22 O\x27Reilly > \x26bar;`, > > +- `a[href =~ \x22\/\/example.com > \x22]#foo`, > > +- `Hello, \x3cb\x3eWorld\x3c\/b\x3e > \x26amp;tc!`, > > +- ` dir=\x22ltr\x22`, > > +- `c \x26\x26 alert(\x22Hello, > World!\x22);`, > > ++ `\u003cb\u003e \u0022foo%\u0022 > O\u0027Reilly \u0026bar;`, > > ++ `a[href =~ \u0022\/\/example.com > \u0022]#foo`, > > ++ `Hello, > \u003cb\u003eWorld\u003c\/b\u003e \u0026amp;tc!`, > > ++ ` dir=\u0022ltr\u0022`, > > ++ `c \u0026\u0026 alert(\u0022Hello, > World!\u0022);`, > > + // Escape sequence not over-escaped. > > +- `Hello, World \x26 O\x27Reilly\x21`, > > +- `greeting=H%69,\x26addressee=(World)`, > > +- `greeting=H%69,\x26addressee=(World) 2x, > https:\/\/golang.org\/favicon.ico 500.5w`, > > ++ `Hello, World \u0026 > O\u0027Reilly\u0021`, > > ++ `greeting=H%69,\u0026addressee=(World)`, > > ++ `greeting=H%69,\u0026addressee=(World) > 2x, https:\/\/golang.org\/favicon.ico 500.5w`, > > + `,foo\/,`, > > + }, > > + }, > > +@@ -208,7 +208,7 @@ func TestTypedContent(t *testing.T) { > > + // Not escaped. > > + `c && alert("Hello, World!");`, > > + // Escape sequence not over-escaped. > > +- `"Hello, World & O'Reilly\x21"`, > > ++ `"Hello, World & O'Reilly\u0021"`, > > + > `"greeting=H%69,\u0026addressee=(World)"`, > > + `"greeting=H%69,\u0026addressee=(World) > 2x, https://golang.org/favicon.ico 500.5w"`, > > + `",foo/,"`, > > +@@ -224,7 +224,7 @@ func TestTypedContent(t *testing.T) { > > + `Hello, <b>World</b> &tc!`, > > + ` dir="ltr"`, > > + `c && alert("Hello, > World!");`, > > +- `Hello, World & O'Reilly\x21`, > > ++ `Hello, World & O'Reilly\u0021`, > > + `greeting=H%69,&addressee=(World)`, > > + `greeting=H%69,&addressee=(World) > 2x, https://golang.org/favicon.ico 500.5w`, > > + `,foo/,`, > > +@@ -233,15 +233,15 @@ func TestTypedContent(t *testing.T) { > > + { > > + `<button onclick='alert("{{.}}")'>`, > > + []string{ > > +- `\x3cb\x3e \x22foo%\x22 O\x27Reilly > \x26bar;`, > > +- `a[href =~ \x22\/\/example.com > \x22]#foo`, > > +- `Hello, \x3cb\x3eWorld\x3c\/b\x3e > \x26amp;tc!`, > > +- ` dir=\x22ltr\x22`, > > +- `c \x26\x26 alert(\x22Hello, > World!\x22);`, > > ++ `\u003cb\u003e \u0022foo%\u0022 > O\u0027Reilly \u0026bar;`, > > ++ `a[href =~ \u0022\/\/example.com > \u0022]#foo`, > > ++ `Hello, > \u003cb\u003eWorld\u003c\/b\u003e \u0026amp;tc!`, > > ++ ` dir=\u0022ltr\u0022`, > > ++ `c \u0026\u0026 alert(\u0022Hello, > World!\u0022);`, > > + // Escape sequence not over-escaped. > > +- `Hello, World \x26 O\x27Reilly\x21`, > > +- `greeting=H%69,\x26addressee=(World)`, > > +- `greeting=H%69,\x26addressee=(World) 2x, > https:\/\/golang.org\/favicon.ico 500.5w`, > > ++ `Hello, World \u0026 > O\u0027Reilly\u0021`, > > ++ `greeting=H%69,\u0026addressee=(World)`, > > ++ `greeting=H%69,\u0026addressee=(World) > 2x, https:\/\/golang.org\/favicon.ico 500.5w`, > > + `,foo\/,`, > > + }, > > + }, > > +@@ -253,7 +253,7 @@ func TestTypedContent(t *testing.T) { > > + > `Hello%2c%20%3cb%3eWorld%3c%2fb%3e%20%26amp%3btc%21`, > > + `%20dir%3d%22ltr%22`, > > + > `c%20%26%26%20alert%28%22Hello%2c%20World%21%22%29%3b`, > > +- > `Hello%2c%20World%20%26%20O%27Reilly%5cx21`, > > ++ > `Hello%2c%20World%20%26%20O%27Reilly%5cu0021`, > > + // Quotes and parens are escaped but %69 > is not over-escaped. HTML escaping is done. > > + > `greeting=H%69,&addressee=%28World%29`, > > + > `greeting%3dH%2569%2c%26addressee%3d%28World%29%202x%2c%20https%3a%2f% > 2fgolang.org%2ffavicon.ico%20500.5w`, > > +@@ -268,7 +268,7 @@ func TestTypedContent(t *testing.T) { > > + > `Hello%2c%20%3cb%3eWorld%3c%2fb%3e%20%26amp%3btc%21`, > > + `%20dir%3d%22ltr%22`, > > + > `c%20%26%26%20alert%28%22Hello%2c%20World%21%22%29%3b`, > > +- > `Hello%2c%20World%20%26%20O%27Reilly%5cx21`, > > ++ > `Hello%2c%20World%20%26%20O%27Reilly%5cu0021`, > > + // Quotes and parens are escaped but %69 > is not over-escaped. HTML escaping is not done. > > + `greeting=H%69,&addressee=%28World%29`, > > + > `greeting%3dH%2569%2c%26addressee%3d%28World%29%202x%2c%20https%3a%2f% > 2fgolang.org%2ffavicon.ico%20500.5w`, > > +diff --git a/src/html/template/escape_test.go > b/src/html/template/escape_test.go > > +index e72a9ba..c709660 100644 > > +--- a/src/html/template/escape_test.go > > ++++ b/src/html/template/escape_test.go > > +@@ -238,7 +238,7 @@ func TestEscape(t *testing.T) { > > + { > > + "jsStr", > > + "<button onclick='alert("{{.H}}")'>", > > +- `<button > onclick='alert("\x3cHello\x3e")'>`, > > ++ `<button > onclick='alert("\u003cHello\u003e")'>`, > > + }, > > + { > > + "badMarshaler", > > +@@ -259,7 +259,7 @@ func TestEscape(t *testing.T) { > > + { > > + "jsRe", > > + `<button > onclick='alert(/{{"foo+bar"}}/.test(""))'>`, > > +- `<button > onclick='alert(/foo\x2bbar/.test(""))'>`, > > ++ `<button > onclick='alert(/foo\u002bbar/.test(""))'>`, > > + }, > > + { > > + "jsReBlank", > > +@@ -825,7 +825,7 @@ func TestEscapeSet(t *testing.T) { > > + "main": `<button > onclick="title='{{template "helper"}}'; ...">{{template > "helper"}}</button>`, > > + "helper": `{{11}} of {{"<100>"}}`, > > + }, > > +- `<button onclick="title='11 of \x3c100\x3e'; > ...">11 of <100></button>`, > > ++ `<button onclick="title='11 of \u003c100\u003e'; > ...">11 of <100></button>`, > > + }, > > + // A non-recursive template that ends in a different > context. > > + // helper starts in jsCtxRegexp and ends in jsCtxDivOp. > > +diff --git a/src/html/template/example_test.go > b/src/html/template/example_test.go > > +index 9d965f1..6cf936f 100644 > > +--- a/src/html/template/example_test.go > > ++++ b/src/html/template/example_test.go > > +@@ -116,9 +116,9 @@ func Example_escape() { > > + // "Fran & Freddie's Diner" & > lt;tasty@example.com> > > + // "Fran & Freddie's Diner" & > lt;tasty@example.com> > > + // "Fran & Freddie's Diner&# > 34;32<tasty@example.com> > > +- // \"Fran \x26 Freddie\'s Diner\" \x3Ctasty@example.com\x3E > > +- // \"Fran \x26 Freddie\'s Diner\" \x3Ctasty@example.com\x3E > > +- // \"Fran \x26 Freddie\'s Diner\"32\x3Ctasty@example.com\x3E > > ++ // \"Fran \u0026 Freddie\'s Diner\" \u003Ctasty@example.com > \u003E > > ++ // \"Fran \u0026 Freddie\'s Diner\" \u003Ctasty@example.com > \u003E > > ++ // \"Fran \u0026 Freddie\'s Diner\"32\u003Ctasty@example.com > \u003E > > + // %22Fran+%26+Freddie%27s+Diner%2232%3Ctasty%40example.com%3E > > + > > + } > > diff --git a/src/html/template/js.go b/src/html/template/js.go > > index 0e91458..ea9c183 100644 > > --- a/src/html/template/js.go > > @@ -173,6 +401,217 @@ index 0e91458..ea9c183 100644 > > '?': `\?`, > > '[': `\[`, > > '\\': `\\`, > > +diff --git a/src/html/template/js_test.go b/src/html/template/js_test.go > > +index 075adaa..d7ee47b 100644 > > +--- a/src/html/template/js_test.go > > ++++ b/src/html/template/js_test.go > > +@@ -137,7 +137,7 @@ func TestJSValEscaper(t *testing.T) { > > + {"foo", `"foo"`}, > > + // Newlines. > > + {"\r\n\u2028\u2029", `"\r\n\u2028\u2029"`}, > > +- // "\v" == "v" on IE 6 so use "\x0b" instead. > > ++ // "\v" == "v" on IE 6 so use "\u000b" instead. > > + {"\t\x0b", `"\t\u000b"`}, > > + {struct{ X, Y int }{1, 2}, `{"X":1,"Y":2}`}, > > + {[]interface{}{}, "[]"}, > > +@@ -173,7 +173,7 @@ func TestJSStrEscaper(t *testing.T) { > > + }{ > > + {"", ``}, > > + {"foo", `foo`}, > > +- {"\u0000", `\0`}, > > ++ {"\u0000", `\u0000`}, > > + {"\t", `\t`}, > > + {"\n", `\n`}, > > + {"\r", `\r`}, > > +@@ -183,14 +183,14 @@ func TestJSStrEscaper(t *testing.T) { > > + {"\\n", `\\n`}, > > + {"foo\r\nbar", `foo\r\nbar`}, > > + // Preserve attribute boundaries. > > +- {`"`, `\x22`}, > > +- {`'`, `\x27`}, > > ++ {`"`, `\u0022`}, > > ++ {`'`, `\u0027`}, > > + // Allow embedding in HTML without further escaping. > > +- {`&`, `\x26amp;`}, > > ++ {`&`, `\u0026amp;`}, > > + // Prevent breaking out of text node and element > boundaries. > > +- {"</script>", `\x3c\/script\x3e`}, > > +- {"<![CDATA[", `\x3c![CDATA[`}, > > +- {"]]>", `]]\x3e`}, > > ++ {"</script>", `\u003c\/script\u003e`}, > > ++ {"<![CDATA[", `\u003c![CDATA[`}, > > ++ {"]]>", `]]\u003e`}, > > + // > https://dev.w3.org/html5/markup/aria/syntax.html#escaping-text-span > > + // "The text in style, script, title, and textarea > elements > > + // must not have an escaping text span start that is > not > > +@@ -201,11 +201,11 @@ func TestJSStrEscaper(t *testing.T) { > > + // allow regular text content to be interpreted as script > > + // allowing script execution via a combination of a JS > string > > + // injection followed by an HTML text injection. > > +- {"<!--", `\x3c!--`}, > > +- {"-->", `--\x3e`}, > > ++ {"<!--", `\u003c!--`}, > > ++ {"-->", `--\u003e`}, > > + // From > https://code.google.com/p/doctype/wiki/ArticleUtf7 > > + {"+ADw-script+AD4-alert(1)+ADw-/script+AD4-", > > +- > `\x2bADw-script\x2bAD4-alert(1)\x2bADw-\/script\x2bAD4-`, > > ++ > `\u002bADw-script\u002bAD4-alert(1)\u002bADw-\/script\u002bAD4-`, > > + }, > > + // Invalid UTF-8 sequence > > + {"foo\xA0bar", "foo\xA0bar"}, > > +@@ -228,7 +228,7 @@ func TestJSRegexpEscaper(t *testing.T) { > > + }{ > > + {"", `(?:)`}, > > + {"foo", `foo`}, > > +- {"\u0000", `\0`}, > > ++ {"\u0000", `\u0000`}, > > + {"\t", `\t`}, > > + {"\n", `\n`}, > > + {"\r", `\r`}, > > +@@ -238,19 +238,19 @@ func TestJSRegexpEscaper(t *testing.T) { > > + {"\\n", `\\n`}, > > + {"foo\r\nbar", `foo\r\nbar`}, > > + // Preserve attribute boundaries. > > +- {`"`, `\x22`}, > > +- {`'`, `\x27`}, > > ++ {`"`, `\u0022`}, > > ++ {`'`, `\u0027`}, > > + // Allow embedding in HTML without further escaping. > > +- {`&`, `\x26amp;`}, > > ++ {`&`, `\u0026amp;`}, > > + // Prevent breaking out of text node and element > boundaries. > > +- {"</script>", `\x3c\/script\x3e`}, > > +- {"<![CDATA[", `\x3c!\[CDATA\[`}, > > +- {"]]>", `\]\]\x3e`}, > > ++ {"</script>", `\u003c\/script\u003e`}, > > ++ {"<![CDATA[", `\u003c!\[CDATA\[`}, > > ++ {"]]>", `\]\]\u003e`}, > > + // Escaping text spans. > > +- {"<!--", `\x3c!\-\-`}, > > +- {"-->", `\-\-\x3e`}, > > ++ {"<!--", `\u003c!\-\-`}, > > ++ {"-->", `\-\-\u003e`}, > > + {"*", `\*`}, > > +- {"+", `\x2b`}, > > ++ {"+", `\u002b`}, > > + {"?", `\?`}, > > + {"[](){}", `\[\]\(\)\{\}`}, > > + {"$foo|x.y", `\$foo\|x\.y`}, > > +@@ -284,27 +284,27 @@ func > TestEscapersOnLower7AndSelectHighCodepoints(t *testing.T) { > > + { > > + "jsStrEscaper", > > + jsStrEscaper, > > +- "\\0\x01\x02\x03\x04\x05\x06\x07" + > > +- "\x08\\t\\n\\x0b\\f\\r\x0E\x0F" + > > +- "\x10\x11\x12\x13\x14\x15\x16\x17" + > > +- "\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" + > > +- ` !\x22#$%\x26\x27()*\x2b,-.\/` + > > +- `0123456789:;\x3c=\x3e?` + > > ++ > `\u0000\u0001\u0002\u0003\u0004\u0005\u0006\u0007` + > > ++ `\u0008\t\n\u000b\f\r\u000e\u000f` + > > ++ > `\u0010\u0011\u0012\u0013\u0014\u0015\u0016\u0017` + > > ++ > `\u0018\u0019\u001a\u001b\u001c\u001d\u001e\u001f` + > > ++ ` !\u0022#$%\u0026\u0027()*\u002b,-.\/` + > > ++ `0123456789:;\u003c=\u003e?` + > > + `@ABCDEFGHIJKLMNO` + > > + `PQRSTUVWXYZ[\\]^_` + > > + "`abcdefghijklmno" + > > +- "pqrstuvwxyz{|}~\x7f" + > > ++ "pqrstuvwxyz{|}~\u007f" + > > + > "\u00A0\u0100\\u2028\\u2029\ufeff\U0001D11E", > > + }, > > + { > > + "jsRegexpEscaper", > > + jsRegexpEscaper, > > +- "\\0\x01\x02\x03\x04\x05\x06\x07" + > > +- "\x08\\t\\n\\x0b\\f\\r\x0E\x0F" + > > +- "\x10\x11\x12\x13\x14\x15\x16\x17" + > > +- "\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" + > > +- ` !\x22#\$%\x26\x27\(\)\*\x2b,\-\.\/` + > > +- `0123456789:;\x3c=\x3e\?` + > > ++ > `\u0000\u0001\u0002\u0003\u0004\u0005\u0006\u0007` + > > ++ `\u0008\t\n\u000b\f\r\u000e\u000f` + > > ++ > `\u0010\u0011\u0012\u0013\u0014\u0015\u0016\u0017` + > > ++ > `\u0018\u0019\u001a\u001b\u001c\u001d\u001e\u001f` + > > ++ ` > !\u0022#\$%\u0026\u0027\(\)\*\u002b,\-\.\/` + > > ++ `0123456789:;\u003c=\u003e\?` + > > + `@ABCDEFGHIJKLMNO` + > > + `PQRSTUVWXYZ\[\\\]\^_` + > > + "`abcdefghijklmno" + > > +diff --git a/src/html/template/template_test.go > b/src/html/template/template_test.go > > +index 13e6ba4..86bd4db 100644 > > +--- a/src/html/template/template_test.go > > ++++ b/src/html/template/template_test.go > > +@@ -6,6 +6,7 @@ package template_test > > + > > + import ( > > + "bytes" > > ++ "encoding/json" > > + . "html/template" > > + "strings" > > + "testing" > > +@@ -121,6 +122,44 @@ func TestNumbers(t *testing.T) { > > + c.mustExecute(c.root, nil, "12.34 7.5") > > + } > > + > > ++func TestStringsInScriptsWithJsonContentTypeAreCorrectlyEscaped(t > *testing.T) { > > ++ // See #33671 and #37634 for more context on this. > > ++ tests := []struct{ name, in string }{ > > ++ {"empty", ""}, > > ++ {"invalid", string(rune(-1))}, > > ++ {"null", "\u0000"}, > > ++ {"unit separator", "\u001F"}, > > ++ {"tab", "\t"}, > > ++ {"gt and lt", "<>"}, > > ++ {"quotes", `'"`}, > > ++ {"ASCII letters", "ASCII letters"}, > > ++ {"Unicode", "ʕ⊙ϖ⊙ʔ"}, > > ++ {"Pizza", "
Hi Steve, I have recreated the patch from scratch for dunfell and sent it as v4 - https://lists.openembedded.org/g/openembedded-core/message/188639 The issue in v3 might be due to whitespaces. But v4 should be good. Thanks, Shubham Kulkani On Sat, Sep 30, 2023 at 9:11 PM Shubham Kulkarni via lists.openembedded.org <skulkarni=mvista.com@lists.openembedded.org> wrote: > Apologies Steve, > > I will look into the issue and send a new patch for Dunfell. It worked for > me on my machine. Maybe something I missed. > > Thanks, > Shubham Kulkarni > > On Sat, Sep 30, 2023 at 8:02 AM Steve Sakoman <steve@sakoman.com> wrote: > >> Sorry, this patch doesn't apply: >> >> Applying: go: Update fix for CVE-2023-24538 & CVE-2023-39318 >> error: corrupt patch at line 478 >> error: could not build fake ancestor >> Patch failed at 0001 go: Update fix for CVE-2023-24538 & CVE-2023-39318 >> >> Steve >> >> On Fri, Sep 29, 2023 at 9:21 AM Shubham Kulkarni via >> lists.openembedded.org <skulkarni=mvista.com@lists.openembedded.org> >> wrote: >> > >> > From: Shubham Kulkarni <skulkarni@mvista.com> >> > >> > Add missing files in fix for CVE-2023-24538 & CVE-2023-39318 >> > >> > Upstream Link - >> > CVE-2023-24538: >> https://github.com/golang/go/commit/b1e3ecfa06b67014429a197ec5e134ce4303ad9b >> > CVE-2023-39318: >> https://github.com/golang/go/commit/023b542edf38e2a1f87fcefb9f75ff2f99401b4c >> > >> > Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> >> > --- >> > meta/recipes-devtools/go/go-1.14.inc | 5 +- >> > .../go/go-1.14/CVE-2023-24538-1.patch | 4 +- >> > .../go/go-1.14/CVE-2023-24538-2.patch | 447 ++++++++++++- >> > .../go/go-1.14/CVE-2023-24538_3.patch | 393 ++++++++++++ >> > .../go/go-1.14/CVE-2023-24538_4.patch | 497 +++++++++++++++ >> > .../go/go-1.14/CVE-2023-24538_5.patch | 585 ++++++++++++++++++ >> > ...3-24538-3.patch => CVE-2023-24538_6.patch} | 175 +++++- >> > .../go/go-1.14/CVE-2023-39318.patch | 38 +- >> > 8 files changed, 2124 insertions(+), 20 deletions(-) >> > create mode 100644 >> meta/recipes-devtools/go/go-1.14/CVE-2023-24538_3.patch >> > create mode 100644 >> meta/recipes-devtools/go/go-1.14/CVE-2023-24538_4.patch >> > create mode 100644 >> meta/recipes-devtools/go/go-1.14/CVE-2023-24538_5.patch >> > rename meta/recipes-devtools/go/go-1.14/{CVE-2023-24538-3.patch => >> CVE-2023-24538_6.patch} (53%) >> > >> > diff --git a/meta/recipes-devtools/go/go-1.14.inc >> b/meta/recipes-devtools/go/go-1.14.inc >> > index be63f64825..091b778de8 100644 >> > --- a/meta/recipes-devtools/go/go-1.14.inc >> > +++ b/meta/recipes-devtools/go/go-1.14.inc >> > @@ -60,7 +60,10 @@ SRC_URI += "\ >> > file://CVE-2023-24534.patch \ >> > file://CVE-2023-24538-1.patch \ >> > file://CVE-2023-24538-2.patch \ >> > - file://CVE-2023-24538-3.patch \ >> > + file://CVE-2023-24538_3.patch \ >> > + file://CVE-2023-24538_4.patch \ >> > + file://CVE-2023-24538_5.patch \ >> > + file://CVE-2023-24538_6.patch \ >> > file://CVE-2023-24539.patch \ >> > file://CVE-2023-24540.patch \ >> > file://CVE-2023-29405-1.patch \ >> > diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-1.patch >> b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-1.patch >> > index eda26e5ff6..23c5075e41 100644 >> > --- a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-1.patch >> > +++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-1.patch >> > @@ -1,7 +1,7 @@ >> > From 8acd01094d9ee17f6e763a61e49a8a808b3a9ddb Mon Sep 17 00:00:00 2001 >> > From: Brad Fitzpatrick <bradfitz@golang.org> >> > Date: Mon, 2 Aug 2021 14:55:51 -0700 >> > -Subject: [PATCH 1/3] net/netip: add new IP address package >> > +Subject: [PATCH 1/6] net/netip: add new IP address package >> > >> > Co-authored-by: Alex Willmer <alex@moreati.org.uk> (GitHub @moreati) >> > Co-authored-by: Alexander Yastrebov <yastrebov.alex@gmail.com> >> > @@ -31,7 +31,7 @@ Trust: Brad Fitzpatrick <bradfitz@golang.org> >> > >> > Dependency Patch #1 >> > >> > -Upstream-Status: Backport [ >> https://github.com/golang/go/commit/a59e33224e42d60a97fa720a45e1b74eb6aaa3d0 >> ] >> > +Upstream-Status: Backport from >> https://github.com/golang/go/commit/a59e33224e42d60a97fa720a45e1b74eb6aaa3d0 >> > CVE: CVE-2023-24538 >> > Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> >> > --- >> > diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch >> b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch >> > index 5036f2890b..3840617a32 100644 >> > --- a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch >> > +++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch >> > @@ -1,7 +1,7 @@ >> > From 6fc21505614f36178df0dad7034b6b8e3f7588d5 Mon Sep 17 00:00:00 2001 >> > From: empijei <robclap8@gmail.com> >> > Date: Fri, 27 Mar 2020 19:27:55 +0100 >> > -Subject: [PATCH 2/3] html/template,text/template: switch to Unicode >> escapes >> > +Subject: [PATCH 2/6] html/template,text/template: switch to Unicode >> escapes >> > for JSON compatibility >> > MIME-Version: 1.0 >> > Content-Type: text/plain; charset=UTF-8 >> > @@ -31,10 +31,238 @@ Upstream-Status: Backport from >> https://github.com/golang/go/commit/d4d298040d072 >> > CVE: CVE-2023-24538 >> > Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> >> > --- >> > - src/html/template/js.go | 70 >> +++++++++++++++++++++++++++------------------- >> > - src/text/template/funcs.go | 8 +++--- >> > - 2 files changed, 46 insertions(+), 32 deletions(-) >> > + src/html/template/content_test.go | 70 >> +++++++++++++++++++------------------- >> > + src/html/template/escape_test.go | 6 ++-- >> > + src/html/template/example_test.go | 6 ++-- >> > + src/html/template/js.go | 70 >> +++++++++++++++++++++++--------------- >> > + src/html/template/js_test.go | 68 >> ++++++++++++++++++------------------ >> > + src/html/template/template_test.go | 39 +++++++++++++++++++++ >> > + src/text/template/exec_test.go | 6 ++-- >> > + src/text/template/funcs.go | 8 ++--- >> > + 8 files changed, 163 insertions(+), 110 deletions(-) >> > >> > +diff --git a/src/html/template/content_test.go >> b/src/html/template/content_test.go >> > +index 72d56f5..bd86527 100644 >> > +--- a/src/html/template/content_test.go >> > ++++ b/src/html/template/content_test.go >> > +@@ -18,7 +18,7 @@ func TestTypedContent(t *testing.T) { >> > + HTML(`Hello, <b>World</b> &tc!`), >> > + HTMLAttr(` dir="ltr"`), >> > + JS(`c && alert("Hello, World!");`), >> > +- JSStr(`Hello, World & O'Reilly\x21`), >> > ++ JSStr(`Hello, World & O'Reilly\u0021`), >> > + URL(`greeting=H%69,&addressee=(World)`), >> > + Srcset(`greeting=H%69,&addressee=(World) 2x, >> https://golang.org/favicon.ico 500.5w`), >> > + URL(`,foo/,`), >> > +@@ -70,7 +70,7 @@ func TestTypedContent(t *testing.T) { >> > + `Hello, <b>World</b> &tc!`, >> > + ` dir="ltr"`, >> > + `c && alert("Hello, >> World!");`, >> > +- `Hello, World & O'Reilly\x21`, >> > ++ `Hello, World & O'Reilly\u0021`, >> > + `greeting=H%69,&addressee=(World)`, >> > + `greeting=H%69,&addressee=(World) >> 2x, https://golang.org/favicon.ico 500.5w`, >> > + `,foo/,`, >> > +@@ -100,7 +100,7 @@ func TestTypedContent(t *testing.T) { >> > + `Hello, World &tc!`, >> > + ` dir="ltr"`, >> > + >> `c && alert("Hello, World!");`, >> > +- >> `Hello, World & O'Reilly\x21`, >> > ++ >> `Hello, World & O'Reilly\u0021`, >> > + >> `greeting=H%69,&addressee=(World)`, >> > + >> `greeting=H%69,&addressee=(World) 2x,  >> https://golang.org/favicon.ico 500.5w` >> <https://golang.org/favicon.ico 500.5w>, >> > + `,foo/,`, >> > +@@ -115,7 +115,7 @@ func TestTypedContent(t *testing.T) { >> > + `Hello, World &tc!`, >> > + ` dir="ltr"`, >> > + `c && alert("Hello, >> World!");`, >> > +- `Hello, World & O'Reilly\x21`, >> > ++ `Hello, World & O'Reilly\u0021`, >> > + `greeting=H%69,&addressee=(World)`, >> > + `greeting=H%69,&addressee=(World) >> 2x, https://golang.org/favicon.ico 500.5w`, >> > + `,foo/,`, >> > +@@ -130,7 +130,7 @@ func TestTypedContent(t *testing.T) { >> > + `Hello, <b>World</b> >> &tc!`, >> > + ` dir="ltr"`, >> > + `c && alert("Hello, >> World!");`, >> > +- `Hello, World & O'Reilly\x21`, >> > ++ `Hello, World & O'Reilly\u0021`, >> > + `greeting=H%69,&addressee=(World)`, >> > + `greeting=H%69,&addressee=(World) >> 2x, https://golang.org/favicon.ico 500.5w`, >> > + `,foo/,`, >> > +@@ -146,7 +146,7 @@ func TestTypedContent(t *testing.T) { >> > + // Not escaped. >> > + `c && alert("Hello, World!");`, >> > + // Escape sequence not over-escaped. >> > +- `"Hello, World & O'Reilly\x21"`, >> > ++ `"Hello, World & O'Reilly\u0021"`, >> > + >> `"greeting=H%69,\u0026addressee=(World)"`, >> > + `"greeting=H%69,\u0026addressee=(World) >> 2x, https://golang.org/favicon.ico 500.5w"`, >> > + `",foo/,"`, >> > +@@ -162,7 +162,7 @@ func TestTypedContent(t *testing.T) { >> > + // Not JS escaped but HTML escaped. >> > + `c && alert("Hello, >> World!");`, >> > + // Escape sequence not over-escaped. >> > +- `"Hello, World & >> O'Reilly\x21"`, >> > ++ `"Hello, World & >> O'Reilly\u0021"`, >> > + >> `"greeting=H%69,\u0026addressee=(World)"`, >> > + >> `"greeting=H%69,\u0026addressee=(World) 2x, >> https://golang.org/favicon.ico 500.5w"`, >> > + `",foo/,"`, >> > +@@ -171,30 +171,30 @@ func TestTypedContent(t *testing.T) { >> > + { >> > + `<script>alert("{{.}}")</script>`, >> > + []string{ >> > +- `\x3cb\x3e \x22foo%\x22 O\x27Reilly >> \x26bar;`, >> > +- `a[href =~ \x22\/\/example.com >> \x22]#foo`, >> > +- `Hello, \x3cb\x3eWorld\x3c\/b\x3e >> \x26amp;tc!`, >> > +- ` dir=\x22ltr\x22`, >> > +- `c \x26\x26 alert(\x22Hello, >> World!\x22);`, >> > ++ `\u003cb\u003e \u0022foo%\u0022 >> O\u0027Reilly \u0026bar;`, >> > ++ `a[href =~ \u0022\/\/example.com >> \u0022]#foo`, >> > ++ `Hello, >> \u003cb\u003eWorld\u003c\/b\u003e \u0026amp;tc!`, >> > ++ ` dir=\u0022ltr\u0022`, >> > ++ `c \u0026\u0026 alert(\u0022Hello, >> World!\u0022);`, >> > + // Escape sequence not over-escaped. >> > +- `Hello, World \x26 O\x27Reilly\x21`, >> > +- `greeting=H%69,\x26addressee=(World)`, >> > +- `greeting=H%69,\x26addressee=(World) >> 2x, https:\/\/golang.org\/favicon.ico 500.5w`, >> > ++ `Hello, World \u0026 >> O\u0027Reilly\u0021`, >> > ++ `greeting=H%69,\u0026addressee=(World)`, >> > ++ `greeting=H%69,\u0026addressee=(World) >> 2x, https:\/\/golang.org\/favicon.ico 500.5w`, >> > + `,foo\/,`, >> > + }, >> > + }, >> > + { >> > + `<script >> type="text/javascript">alert("{{.}}")</script>`, >> > + []string{ >> > +- `\x3cb\x3e \x22foo%\x22 O\x27Reilly >> \x26bar;`, >> > +- `a[href =~ \x22\/\/example.com >> \x22]#foo`, >> > +- `Hello, \x3cb\x3eWorld\x3c\/b\x3e >> \x26amp;tc!`, >> > +- ` dir=\x22ltr\x22`, >> > +- `c \x26\x26 alert(\x22Hello, >> World!\x22);`, >> > ++ `\u003cb\u003e \u0022foo%\u0022 >> O\u0027Reilly \u0026bar;`, >> > ++ `a[href =~ \u0022\/\/example.com >> \u0022]#foo`, >> > ++ `Hello, >> \u003cb\u003eWorld\u003c\/b\u003e \u0026amp;tc!`, >> > ++ ` dir=\u0022ltr\u0022`, >> > ++ `c \u0026\u0026 alert(\u0022Hello, >> World!\u0022);`, >> > + // Escape sequence not over-escaped. >> > +- `Hello, World \x26 O\x27Reilly\x21`, >> > +- `greeting=H%69,\x26addressee=(World)`, >> > +- `greeting=H%69,\x26addressee=(World) >> 2x, https:\/\/golang.org\/favicon.ico 500.5w`, >> > ++ `Hello, World \u0026 >> O\u0027Reilly\u0021`, >> > ++ `greeting=H%69,\u0026addressee=(World)`, >> > ++ `greeting=H%69,\u0026addressee=(World) >> 2x, https:\/\/golang.org\/favicon.ico 500.5w`, >> > + `,foo\/,`, >> > + }, >> > + }, >> > +@@ -208,7 +208,7 @@ func TestTypedContent(t *testing.T) { >> > + // Not escaped. >> > + `c && alert("Hello, World!");`, >> > + // Escape sequence not over-escaped. >> > +- `"Hello, World & O'Reilly\x21"`, >> > ++ `"Hello, World & O'Reilly\u0021"`, >> > + >> `"greeting=H%69,\u0026addressee=(World)"`, >> > + `"greeting=H%69,\u0026addressee=(World) >> 2x, https://golang.org/favicon.ico 500.5w"`, >> > + `",foo/,"`, >> > +@@ -224,7 +224,7 @@ func TestTypedContent(t *testing.T) { >> > + `Hello, <b>World</b> &tc!`, >> > + ` dir="ltr"`, >> > + `c && alert("Hello, >> World!");`, >> > +- `Hello, World & O'Reilly\x21`, >> > ++ `Hello, World & O'Reilly\u0021`, >> > + `greeting=H%69,&addressee=(World)`, >> > + `greeting=H%69,&addressee=(World) >> 2x, https://golang.org/favicon.ico 500.5w`, >> > + `,foo/,`, >> > +@@ -233,15 +233,15 @@ func TestTypedContent(t *testing.T) { >> > + { >> > + `<button onclick='alert("{{.}}")'>`, >> > + []string{ >> > +- `\x3cb\x3e \x22foo%\x22 O\x27Reilly >> \x26bar;`, >> > +- `a[href =~ \x22\/\/example.com >> \x22]#foo`, >> > +- `Hello, \x3cb\x3eWorld\x3c\/b\x3e >> \x26amp;tc!`, >> > +- ` dir=\x22ltr\x22`, >> > +- `c \x26\x26 alert(\x22Hello, >> World!\x22);`, >> > ++ `\u003cb\u003e \u0022foo%\u0022 >> O\u0027Reilly \u0026bar;`, >> > ++ `a[href =~ \u0022\/\/example.com >> \u0022]#foo`, >> > ++ `Hello, >> \u003cb\u003eWorld\u003c\/b\u003e \u0026amp;tc!`, >> > ++ ` dir=\u0022ltr\u0022`, >> > ++ `c \u0026\u0026 alert(\u0022Hello, >> World!\u0022);`, >> > + // Escape sequence not over-escaped. >> > +- `Hello, World \x26 O\x27Reilly\x21`, >> > +- `greeting=H%69,\x26addressee=(World)`, >> > +- `greeting=H%69,\x26addressee=(World) >> 2x, https:\/\/golang.org\/favicon.ico 500.5w`, >> > ++ `Hello, World \u0026 >> O\u0027Reilly\u0021`, >> > ++ `greeting=H%69,\u0026addressee=(World)`, >> > ++ `greeting=H%69,\u0026addressee=(World) >> 2x, https:\/\/golang.org\/favicon.ico 500.5w`, >> > + `,foo\/,`, >> > + }, >> > + }, >> > +@@ -253,7 +253,7 @@ func TestTypedContent(t *testing.T) { >> > + >> `Hello%2c%20%3cb%3eWorld%3c%2fb%3e%20%26amp%3btc%21`, >> > + `%20dir%3d%22ltr%22`, >> > + >> `c%20%26%26%20alert%28%22Hello%2c%20World%21%22%29%3b`, >> > +- >> `Hello%2c%20World%20%26%20O%27Reilly%5cx21`, >> > ++ >> `Hello%2c%20World%20%26%20O%27Reilly%5cu0021`, >> > + // Quotes and parens are escaped but >> %69 is not over-escaped. HTML escaping is done. >> > + >> `greeting=H%69,&addressee=%28World%29`, >> > + >> `greeting%3dH%2569%2c%26addressee%3d%28World%29%202x%2c%20https%3a%2f% >> 2fgolang.org%2ffavicon.ico%20500.5w`, >> > +@@ -268,7 +268,7 @@ func TestTypedContent(t *testing.T) { >> > + >> `Hello%2c%20%3cb%3eWorld%3c%2fb%3e%20%26amp%3btc%21`, >> > + `%20dir%3d%22ltr%22`, >> > + >> `c%20%26%26%20alert%28%22Hello%2c%20World%21%22%29%3b`, >> > +- >> `Hello%2c%20World%20%26%20O%27Reilly%5cx21`, >> > ++ >> `Hello%2c%20World%20%26%20O%27Reilly%5cu0021`, >> > + // Quotes and parens are escaped but >> %69 is not over-escaped. HTML escaping is not done. >> > + `greeting=H%69,&addressee=%28World%29`, >> > + >> `greeting%3dH%2569%2c%26addressee%3d%28World%29%202x%2c%20https%3a%2f% >> 2fgolang.org%2ffavicon.ico%20500.5w`, >> > +diff --git a/src/html/template/escape_test.go >> b/src/html/template/escape_test.go >> > +index e72a9ba..c709660 100644 >> > +--- a/src/html/template/escape_test.go >> > ++++ b/src/html/template/escape_test.go >> > +@@ -238,7 +238,7 @@ func TestEscape(t *testing.T) { >> > + { >> > + "jsStr", >> > + "<button onclick='alert("{{.H}}")'>", >> > +- `<button >> onclick='alert("\x3cHello\x3e")'>`, >> > ++ `<button >> onclick='alert("\u003cHello\u003e")'>`, >> > + }, >> > + { >> > + "badMarshaler", >> > +@@ -259,7 +259,7 @@ func TestEscape(t *testing.T) { >> > + { >> > + "jsRe", >> > + `<button >> onclick='alert(/{{"foo+bar"}}/.test(""))'>`, >> > +- `<button >> onclick='alert(/foo\x2bbar/.test(""))'>`, >> > ++ `<button >> onclick='alert(/foo\u002bbar/.test(""))'>`, >> > + }, >> > + { >> > + "jsReBlank", >> > +@@ -825,7 +825,7 @@ func TestEscapeSet(t *testing.T) { >> > + "main": `<button >> onclick="title='{{template "helper"}}'; ...">{{template >> "helper"}}</button>`, >> > + "helper": `{{11}} of {{"<100>"}}`, >> > + }, >> > +- `<button onclick="title='11 of \x3c100\x3e'; >> ...">11 of <100></button>`, >> > ++ `<button onclick="title='11 of >> \u003c100\u003e'; ...">11 of <100></button>`, >> > + }, >> > + // A non-recursive template that ends in a different >> context. >> > + // helper starts in jsCtxRegexp and ends in jsCtxDivOp. >> > +diff --git a/src/html/template/example_test.go >> b/src/html/template/example_test.go >> > +index 9d965f1..6cf936f 100644 >> > +--- a/src/html/template/example_test.go >> > ++++ b/src/html/template/example_test.go >> > +@@ -116,9 +116,9 @@ func Example_escape() { >> > + // "Fran & Freddie's Diner" & >> lt;tasty@example.com> >> > + // "Fran & Freddie's Diner" & >> lt;tasty@example.com> >> > + // "Fran & Freddie's Diner&# >> 34;32<tasty@example.com> >> > +- // \"Fran \x26 Freddie\'s Diner\" \x3Ctasty@example.com\x3E >> > +- // \"Fran \x26 Freddie\'s Diner\" \x3Ctasty@example.com\x3E >> > +- // \"Fran \x26 Freddie\'s Diner\"32\x3Ctasty@example.com\x3E >> > ++ // \"Fran \u0026 Freddie\'s Diner\" \u003Ctasty@example.com >> \u003E >> > ++ // \"Fran \u0026 Freddie\'s Diner\" \u003Ctasty@example.com >> \u003E >> > ++ // \"Fran \u0026 Freddie\'s Diner\"32\u003Ctasty@example.com >> \u003E >> > + // %22Fran+%26+Freddie%27s+Diner%2232%3Ctasty%40example.com%3E >> > + >> > + } >> > diff --git a/src/html/template/js.go b/src/html/template/js.go >> > index 0e91458..ea9c183 100644 >> > --- a/src/html/template/js.go >> > @@ -173,6 +401,217 @@ index 0e91458..ea9c183 100644 >> > '?': `\?`, >> > '[': `\[`, >> > '\\': `\\`, >> > +diff --git a/src/html/template/js_test.go >> b/src/html/template/js_test.go >> > +index 075adaa..d7ee47b 100644 >> > +--- a/src/html/template/js_test.go >> > ++++ b/src/html/template/js_test.go >> > +@@ -137,7 +137,7 @@ func TestJSValEscaper(t *testing.T) { >> > + {"foo", `"foo"`}, >> > + // Newlines. >> > + {"\r\n\u2028\u2029", `"\r\n\u2028\u2029"`}, >> > +- // "\v" == "v" on IE 6 so use "\x0b" instead. >> > ++ // "\v" == "v" on IE 6 so use "\u000b" instead. >> > + {"\t\x0b", `"\t\u000b"`}, >> > + {struct{ X, Y int }{1, 2}, `{"X":1,"Y":2}`}, >> > + {[]interface{}{}, "[]"}, >> > +@@ -173,7 +173,7 @@ func TestJSStrEscaper(t *testing.T) { >> > + }{ >> > + {"", ``}, >> > + {"foo", `foo`}, >> > +- {"\u0000", `\0`}, >> > ++ {"\u0000", `\u0000`}, >> > + {"\t", `\t`}, >> > + {"\n", `\n`}, >> > + {"\r", `\r`}, >> > +@@ -183,14 +183,14 @@ func TestJSStrEscaper(t *testing.T) { >> > + {"\\n", `\\n`}, >> > + {"foo\r\nbar", `foo\r\nbar`}, >> > + // Preserve attribute boundaries. >> > +- {`"`, `\x22`}, >> > +- {`'`, `\x27`}, >> > ++ {`"`, `\u0022`}, >> > ++ {`'`, `\u0027`}, >> > + // Allow embedding in HTML without further escaping. >> > +- {`&`, `\x26amp;`}, >> > ++ {`&`, `\u0026amp;`}, >> > + // Prevent breaking out of text node and element >> boundaries. >> > +- {"</script>", `\x3c\/script\x3e`}, >> > +- {"<![CDATA[", `\x3c![CDATA[`}, >> > +- {"]]>", `]]\x3e`}, >> > ++ {"</script>", `\u003c\/script\u003e`}, >> > ++ {"<![CDATA[", `\u003c![CDATA[`}, >> > ++ {"]]>", `]]\u003e`}, >> > + // >> https://dev.w3.org/html5/markup/aria/syntax.html#escaping-text-span >> > + // "The text in style, script, title, and textarea >> elements >> > + // must not have an escaping text span start that is >> not >> > +@@ -201,11 +201,11 @@ func TestJSStrEscaper(t *testing.T) { >> > + // allow regular text content to be interpreted as >> script >> > + // allowing script execution via a combination of a JS >> string >> > + // injection followed by an HTML text injection. >> > +- {"<!--", `\x3c!--`}, >> > +- {"-->", `--\x3e`}, >> > ++ {"<!--", `\u003c!--`}, >> > ++ {"-->", `--\u003e`}, >> > + // From >> https://code.google.com/p/doctype/wiki/ArticleUtf7 >> > + {"+ADw-script+AD4-alert(1)+ADw-/script+AD4-", >> > +- >> `\x2bADw-script\x2bAD4-alert(1)\x2bADw-\/script\x2bAD4-`, >> > ++ >> `\u002bADw-script\u002bAD4-alert(1)\u002bADw-\/script\u002bAD4-`, >> > + }, >> > + // Invalid UTF-8 sequence >> > + {"foo\xA0bar", "foo\xA0bar"}, >> > +@@ -228,7 +228,7 @@ func TestJSRegexpEscaper(t *testing.T) { >> > + }{ >> > + {"", `(?:)`}, >> > + {"foo", `foo`}, >> > +- {"\u0000", `\0`}, >> > ++ {"\u0000", `\u0000`}, >> > + {"\t", `\t`}, >> > + {"\n", `\n`}, >> > + {"\r", `\r`}, >> > +@@ -238,19 +238,19 @@ func TestJSRegexpEscaper(t *testing.T) { >> > + {"\\n", `\\n`}, >> > + {"foo\r\nbar", `foo\r\nbar`}, >> > + // Preserve attribute boundaries. >> > +- {`"`, `\x22`}, >> > +- {`'`, `\x27`}, >> > ++ {`"`, `\u0022`}, >> > ++ {`'`, `\u0027`}, >> > + // Allow embedding in HTML without further escaping. >> > +- {`&`, `\x26amp;`}, >> > ++ {`&`, `\u0026amp;`}, >> > + // Prevent breaking out of text node and element >> boundaries. >> > +- {"</script>", `\x3c\/script\x3e`}, >> > +- {"<![CDATA[", `\x3c!\[CDATA\[`}, >> > +- {"]]>", `\]\]\x3e`}, >> > ++ {"</script>", `\u003c\/script\u003e`}, >> > ++ {"<![CDATA[", `\u003c!\[CDATA\[`}, >> > ++ {"]]>", `\]\]\u003e`}, >> > + // Escaping text spans. >> > +- {"<!--", `\x3c!\-\-`}, >> > +- {"-->", `\-\-\x3e`}, >> > ++ {"<!--", `\u003c!\-\-`}, >> > ++ {"-->", `\-\-\u003e`}, >> > + {"*", `\*`}, >> > +- {"+", `\x2b`}, >> > ++ {"+", `\u002b`}, >> > + {"?", `\?`}, >> > + {"[](){}", `\[\]\(\)\{\}`}, >> > + {"$foo|x.y", `\$foo\|x\.y`}, >> > +@@ -284,27 +284,27 @@ func >> TestEscapersOnLower7AndSelectHighCodepoints(t *testing.T) { >> > + { >> > + "jsStrEscaper", >> > + jsStrEscaper, >> > +- "\\0\x01\x02\x03\x04\x05\x06\x07" + >> > +- "\x08\\t\\n\\x0b\\f\\r\x0E\x0F" + >> > +- "\x10\x11\x12\x13\x14\x15\x16\x17" + >> > +- "\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" + >> > +- ` !\x22#$%\x26\x27()*\x2b,-.\/` + >> > +- `0123456789:;\x3c=\x3e?` + >> > ++ >> `\u0000\u0001\u0002\u0003\u0004\u0005\u0006\u0007` + >> > ++ `\u0008\t\n\u000b\f\r\u000e\u000f` + >> > ++ >> `\u0010\u0011\u0012\u0013\u0014\u0015\u0016\u0017` + >> > ++ >> `\u0018\u0019\u001a\u001b\u001c\u001d\u001e\u001f` + >> > ++ ` !\u0022#$%\u0026\u0027()*\u002b,-.\/` >> + >> > ++ `0123456789:;\u003c=\u003e?` + >> > + `@ABCDEFGHIJKLMNO` + >> > + `PQRSTUVWXYZ[\\]^_` + >> > + "`abcdefghijklmno" + >> > +- "pqrstuvwxyz{|}~\x7f" + >> > ++ "pqrstuvwxyz{|}~\u007f" + >> > + >> "\u00A0\u0100\\u2028\\u2029\ufeff\U0001D11E", >> > + }, >> > + { >> > + "jsRegexpEscaper", >> > + jsRegexpEscaper, >> > +- "\\0\x01\x02\x03\x04\x05\x06\x07" + >> > +- "\x08\\t\\n\\x0b\\f\\r\x0E\x0F" + >> > +- "\x10\x11\x12\x13\x14\x15\x16\x17" + >> > +- "\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" + >> > +- ` !\x22#\$%\x26\x27\(\)\*\x2b,\-\.\/` + >> > +- `0123456789:;\x3c=\x3e\?` + >> > ++ >> `\u0000\u0001\u0002\u0003\u0004\u0005\u0006\u0007` + >> > ++ `\u0008\t\n\u000b\f\r\u000e\u000f` + >> > ++ >> `\u0010\u0011\u0012\u0013\u0014\u0015\u0016\u0017` + >> > ++ >> `\u0018\u0019\u001a\u001b\u001c\u001d\u001e\u001f` + >> > ++ ` >> !\u0022#\$%\u0026\u0027\(\)\*\u002b,\-\.\/` + >> > ++ `0123456789:;\u003c=\u003e\?` + >> > + `@ABCDEFGHIJKLMNO` + >> > + `PQRSTUVWXYZ\[\\\]\^_` + >> > + "`abcdefghijklmno" + >> > +diff --git a/src/html/template/template_test.go >> b/src/html/template/template_test.go >> > +index 13e6ba4..86bd4db 100644 >> > +--- a/src/html/template/template_test.go >> > ++++ b/src/html/template/template_test.go >> > +@@ -6,6 +6,7 @@ package template_test >> > + >> > + import ( >> > + "bytes" >> > ++ "encoding/json" >> > + . "html/template" >> > + "strings" >> > + "testing" >> > +@@ -121,6 +122,44 @@ func TestNumbers(t *testing.T) { >> > + c.mustExecute(c.root, nil, "12.34 7.5") >> > + } >> > + >> > ++func TestStringsInScriptsWithJsonContentTypeAreCorrectlyEscaped(t >> *testing.T) { >> > ++ // See #33671 and #37634 for more context on this. >> > ++ tests := []struct{ name, in string }{ >> > ++ {"empty", ""}, >> > ++ {"invalid", string(rune(-1))}, >> > ++ {"null", "\u0000"}, >> > ++ {"unit separator", "\u001F"}, >> > ++ {"tab", "\t"}, >> > ++ {"gt and lt", "<>"}, >> > ++ {"quotes", `'"`}, >> > ++ {"ASCII letters", "ASCII letters"}, >> > ++ {"Unicode", "ʕ⊙ϖ⊙ʔ"}, >> > ++ {"Pizza", "
On Tue, Oct 3, 2023 at 3:49 AM Shubham Kulkarni <skulkarni@mvista.com> wrote: > > Hi Steve, > > I have recreated the patch from scratch for dunfell and sent it as v4 - https://lists.openembedded.org/g/openembedded-core/message/188639 > The issue in v3 might be due to whitespaces. But v4 should be good. Sorry, it still fails: Applying: go: Update fix for CVE-2023-24538 & CVE-2023-39318 error: corrupt patch at line 1074 error: could not build fake ancestor To debug, try downloading your patch from the list and then applying it to the dunfell HEAD. Alternatively you could download from patchworks: https://patchwork.yoctoproject.org/project/oe-core/patch/20231003134246.24630-1-skulkarni@mvista.com/ Steve > On Sat, Sep 30, 2023 at 9:11 PM Shubham Kulkarni via lists.openembedded.org <skulkarni=mvista.com@lists.openembedded.org> wrote: >> >> Apologies Steve, >> >> I will look into the issue and send a new patch for Dunfell. It worked for me on my machine. Maybe something I missed. >> >> Thanks, >> Shubham Kulkarni >> >> On Sat, Sep 30, 2023 at 8:02 AM Steve Sakoman <steve@sakoman.com> wrote: >>> >>> Sorry, this patch doesn't apply: >>> >>> Applying: go: Update fix for CVE-2023-24538 & CVE-2023-39318 >>> error: corrupt patch at line 478 >>> error: could not build fake ancestor >>> Patch failed at 0001 go: Update fix for CVE-2023-24538 & CVE-2023-39318 >>> >>> Steve >>> >>> On Fri, Sep 29, 2023 at 9:21 AM Shubham Kulkarni via >>> lists.openembedded.org <skulkarni=mvista.com@lists.openembedded.org> >>> wrote: >>> > >>> > From: Shubham Kulkarni <skulkarni@mvista.com> >>> > >>> > Add missing files in fix for CVE-2023-24538 & CVE-2023-39318 >>> > >>> > Upstream Link - >>> > CVE-2023-24538: https://github.com/golang/go/commit/b1e3ecfa06b67014429a197ec5e134ce4303ad9b >>> > CVE-2023-39318: https://github.com/golang/go/commit/023b542edf38e2a1f87fcefb9f75ff2f99401b4c >>> > >>> > Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> >>> > --- >>> > meta/recipes-devtools/go/go-1.14.inc | 5 +- >>> > .../go/go-1.14/CVE-2023-24538-1.patch | 4 +- >>> > .../go/go-1.14/CVE-2023-24538-2.patch | 447 ++++++++++++- >>> > .../go/go-1.14/CVE-2023-24538_3.patch | 393 ++++++++++++ >>> > .../go/go-1.14/CVE-2023-24538_4.patch | 497 +++++++++++++++ >>> > .../go/go-1.14/CVE-2023-24538_5.patch | 585 ++++++++++++++++++ >>> > ...3-24538-3.patch => CVE-2023-24538_6.patch} | 175 +++++- >>> > .../go/go-1.14/CVE-2023-39318.patch | 38 +- >>> > 8 files changed, 2124 insertions(+), 20 deletions(-) >>> > create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-24538_3.patch >>> > create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-24538_4.patch >>> > create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-24538_5.patch >>> > rename meta/recipes-devtools/go/go-1.14/{CVE-2023-24538-3.patch => CVE-2023-24538_6.patch} (53%) >>> > >>> > diff --git a/meta/recipes-devtools/go/go-1.14.inc b/meta/recipes-devtools/go/go-1.14.inc >>> > index be63f64825..091b778de8 100644 >>> > --- a/meta/recipes-devtools/go/go-1.14.inc >>> > +++ b/meta/recipes-devtools/go/go-1.14.inc >>> > @@ -60,7 +60,10 @@ SRC_URI += "\ >>> > file://CVE-2023-24534.patch \ >>> > file://CVE-2023-24538-1.patch \ >>> > file://CVE-2023-24538-2.patch \ >>> > - file://CVE-2023-24538-3.patch \ >>> > + file://CVE-2023-24538_3.patch \ >>> > + file://CVE-2023-24538_4.patch \ >>> > + file://CVE-2023-24538_5.patch \ >>> > + file://CVE-2023-24538_6.patch \ >>> > file://CVE-2023-24539.patch \ >>> > file://CVE-2023-24540.patch \ >>> > file://CVE-2023-29405-1.patch \ >>> > diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-1.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-1.patch >>> > index eda26e5ff6..23c5075e41 100644 >>> > --- a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-1.patch >>> > +++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-1.patch >>> > @@ -1,7 +1,7 @@ >>> > From 8acd01094d9ee17f6e763a61e49a8a808b3a9ddb Mon Sep 17 00:00:00 2001 >>> > From: Brad Fitzpatrick <bradfitz@golang.org> >>> > Date: Mon, 2 Aug 2021 14:55:51 -0700 >>> > -Subject: [PATCH 1/3] net/netip: add new IP address package >>> > +Subject: [PATCH 1/6] net/netip: add new IP address package >>> > >>> > Co-authored-by: Alex Willmer <alex@moreati.org.uk> (GitHub @moreati) >>> > Co-authored-by: Alexander Yastrebov <yastrebov.alex@gmail.com> >>> > @@ -31,7 +31,7 @@ Trust: Brad Fitzpatrick <bradfitz@golang.org> >>> > >>> > Dependency Patch #1 >>> > >>> > -Upstream-Status: Backport [https://github.com/golang/go/commit/a59e33224e42d60a97fa720a45e1b74eb6aaa3d0] >>> > +Upstream-Status: Backport from https://github.com/golang/go/commit/a59e33224e42d60a97fa720a45e1b74eb6aaa3d0 >>> > CVE: CVE-2023-24538 >>> > Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> >>> > --- >>> > diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch >>> > index 5036f2890b..3840617a32 100644 >>> > --- a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch >>> > +++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch >>> > @@ -1,7 +1,7 @@ >>> > From 6fc21505614f36178df0dad7034b6b8e3f7588d5 Mon Sep 17 00:00:00 2001 >>> > From: empijei <robclap8@gmail.com> >>> > Date: Fri, 27 Mar 2020 19:27:55 +0100 >>> > -Subject: [PATCH 2/3] html/template,text/template: switch to Unicode escapes >>> > +Subject: [PATCH 2/6] html/template,text/template: switch to Unicode escapes >>> > for JSON compatibility >>> > MIME-Version: 1.0 >>> > Content-Type: text/plain; charset=UTF-8 >>> > @@ -31,10 +31,238 @@ Upstream-Status: Backport from https://github.com/golang/go/commit/d4d298040d072 >>> > CVE: CVE-2023-24538 >>> > Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> >>> > --- >>> > - src/html/template/js.go | 70 +++++++++++++++++++++++++++------------------- >>> > - src/text/template/funcs.go | 8 +++--- >>> > - 2 files changed, 46 insertions(+), 32 deletions(-) >>> > + src/html/template/content_test.go | 70 +++++++++++++++++++------------------- >>> > + src/html/template/escape_test.go | 6 ++-- >>> > + src/html/template/example_test.go | 6 ++-- >>> > + src/html/template/js.go | 70 +++++++++++++++++++++++--------------- >>> > + src/html/template/js_test.go | 68 ++++++++++++++++++------------------ >>> > + src/html/template/template_test.go | 39 +++++++++++++++++++++ >>> > + src/text/template/exec_test.go | 6 ++-- >>> > + src/text/template/funcs.go | 8 ++--- >>> > + 8 files changed, 163 insertions(+), 110 deletions(-) >>> > >>> > +diff --git a/src/html/template/content_test.go b/src/html/template/content_test.go >>> > +index 72d56f5..bd86527 100644 >>> > +--- a/src/html/template/content_test.go >>> > ++++ b/src/html/template/content_test.go >>> > +@@ -18,7 +18,7 @@ func TestTypedContent(t *testing.T) { >>> > + HTML(`Hello, <b>World</b> &tc!`), >>> > + HTMLAttr(` dir="ltr"`), >>> > + JS(`c && alert("Hello, World!");`), >>> > +- JSStr(`Hello, World & O'Reilly\x21`), >>> > ++ JSStr(`Hello, World & O'Reilly\u0021`), >>> > + URL(`greeting=H%69,&addressee=(World)`), >>> > + Srcset(`greeting=H%69,&addressee=(World) 2x, https://golang.org/favicon.ico 500.5w`), >>> > + URL(`,foo/,`), >>> > +@@ -70,7 +70,7 @@ func TestTypedContent(t *testing.T) { >>> > + `Hello, <b>World</b> &tc!`, >>> > + ` dir="ltr"`, >>> > + `c && alert("Hello, World!");`, >>> > +- `Hello, World & O'Reilly\x21`, >>> > ++ `Hello, World & O'Reilly\u0021`, >>> > + `greeting=H%69,&addressee=(World)`, >>> > + `greeting=H%69,&addressee=(World) 2x, https://golang.org/favicon.ico 500.5w`, >>> > + `,foo/,`, >>> > +@@ -100,7 +100,7 @@ func TestTypedContent(t *testing.T) { >>> > + `Hello, World &tc!`, >>> > + ` dir="ltr"`, >>> > + `c && alert("Hello, World!");`, >>> > +- `Hello, World & O'Reilly\x21`, >>> > ++ `Hello, World & O'Reilly\u0021`, >>> > + `greeting=H%69,&addressee=(World)`, >>> > + `greeting=H%69,&addressee=(World) 2x, https://golang.org/favicon.ico 500.5w`, >>> > + `,foo/,`, >>> > +@@ -115,7 +115,7 @@ func TestTypedContent(t *testing.T) { >>> > + `Hello, World &tc!`, >>> > + ` dir="ltr"`, >>> > + `c && alert("Hello, World!");`, >>> > +- `Hello, World & O'Reilly\x21`, >>> > ++ `Hello, World & O'Reilly\u0021`, >>> > + `greeting=H%69,&addressee=(World)`, >>> > + `greeting=H%69,&addressee=(World) 2x, https://golang.org/favicon.ico 500.5w`, >>> > + `,foo/,`, >>> > +@@ -130,7 +130,7 @@ func TestTypedContent(t *testing.T) { >>> > + `Hello, <b>World</b> &tc!`, >>> > + ` dir="ltr"`, >>> > + `c && alert("Hello, World!");`, >>> > +- `Hello, World & O'Reilly\x21`, >>> > ++ `Hello, World & O'Reilly\u0021`, >>> > + `greeting=H%69,&addressee=(World)`, >>> > + `greeting=H%69,&addressee=(World) 2x, https://golang.org/favicon.ico 500.5w`, >>> > + `,foo/,`, >>> > +@@ -146,7 +146,7 @@ func TestTypedContent(t *testing.T) { >>> > + // Not escaped. >>> > + `c && alert("Hello, World!");`, >>> > + // Escape sequence not over-escaped. >>> > +- `"Hello, World & O'Reilly\x21"`, >>> > ++ `"Hello, World & O'Reilly\u0021"`, >>> > + `"greeting=H%69,\u0026addressee=(World)"`, >>> > + `"greeting=H%69,\u0026addressee=(World) 2x, https://golang.org/favicon.ico 500.5w"`, >>> > + `",foo/,"`, >>> > +@@ -162,7 +162,7 @@ func TestTypedContent(t *testing.T) { >>> > + // Not JS escaped but HTML escaped. >>> > + `c && alert("Hello, World!");`, >>> > + // Escape sequence not over-escaped. >>> > +- `"Hello, World & O'Reilly\x21"`, >>> > ++ `"Hello, World & O'Reilly\u0021"`, >>> > + `"greeting=H%69,\u0026addressee=(World)"`, >>> > + `"greeting=H%69,\u0026addressee=(World) 2x, https://golang.org/favicon.ico 500.5w"`, >>> > + `",foo/,"`, >>> > +@@ -171,30 +171,30 @@ func TestTypedContent(t *testing.T) { >>> > + { >>> > + `<script>alert("{{.}}")</script>`, >>> > + []string{ >>> > +- `\x3cb\x3e \x22foo%\x22 O\x27Reilly \x26bar;`, >>> > +- `a[href =~ \x22\/\/example.com\x22]#foo`, >>> > +- `Hello, \x3cb\x3eWorld\x3c\/b\x3e \x26amp;tc!`, >>> > +- ` dir=\x22ltr\x22`, >>> > +- `c \x26\x26 alert(\x22Hello, World!\x22);`, >>> > ++ `\u003cb\u003e \u0022foo%\u0022 O\u0027Reilly \u0026bar;`, >>> > ++ `a[href =~ \u0022\/\/example.com\u0022]#foo`, >>> > ++ `Hello, \u003cb\u003eWorld\u003c\/b\u003e \u0026amp;tc!`, >>> > ++ ` dir=\u0022ltr\u0022`, >>> > ++ `c \u0026\u0026 alert(\u0022Hello, World!\u0022);`, >>> > + // Escape sequence not over-escaped. >>> > +- `Hello, World \x26 O\x27Reilly\x21`, >>> > +- `greeting=H%69,\x26addressee=(World)`, >>> > +- `greeting=H%69,\x26addressee=(World) 2x, https:\/\/golang.org\/favicon.ico 500.5w`, >>> > ++ `Hello, World \u0026 O\u0027Reilly\u0021`, >>> > ++ `greeting=H%69,\u0026addressee=(World)`, >>> > ++ `greeting=H%69,\u0026addressee=(World) 2x, https:\/\/golang.org\/favicon.ico 500.5w`, >>> > + `,foo\/,`, >>> > + }, >>> > + }, >>> > + { >>> > + `<script type="text/javascript">alert("{{.}}")</script>`, >>> > + []string{ >>> > +- `\x3cb\x3e \x22foo%\x22 O\x27Reilly \x26bar;`, >>> > +- `a[href =~ \x22\/\/example.com\x22]#foo`, >>> > +- `Hello, \x3cb\x3eWorld\x3c\/b\x3e \x26amp;tc!`, >>> > +- ` dir=\x22ltr\x22`, >>> > +- `c \x26\x26 alert(\x22Hello, World!\x22);`, >>> > ++ `\u003cb\u003e \u0022foo%\u0022 O\u0027Reilly \u0026bar;`, >>> > ++ `a[href =~ \u0022\/\/example.com\u0022]#foo`, >>> > ++ `Hello, \u003cb\u003eWorld\u003c\/b\u003e \u0026amp;tc!`, >>> > ++ ` dir=\u0022ltr\u0022`, >>> > ++ `c \u0026\u0026 alert(\u0022Hello, World!\u0022);`, >>> > + // Escape sequence not over-escaped. >>> > +- `Hello, World \x26 O\x27Reilly\x21`, >>> > +- `greeting=H%69,\x26addressee=(World)`, >>> > +- `greeting=H%69,\x26addressee=(World) 2x, https:\/\/golang.org\/favicon.ico 500.5w`, >>> > ++ `Hello, World \u0026 O\u0027Reilly\u0021`, >>> > ++ `greeting=H%69,\u0026addressee=(World)`, >>> > ++ `greeting=H%69,\u0026addressee=(World) 2x, https:\/\/golang.org\/favicon.ico 500.5w`, >>> > + `,foo\/,`, >>> > + }, >>> > + }, >>> > +@@ -208,7 +208,7 @@ func TestTypedContent(t *testing.T) { >>> > + // Not escaped. >>> > + `c && alert("Hello, World!");`, >>> > + // Escape sequence not over-escaped. >>> > +- `"Hello, World & O'Reilly\x21"`, >>> > ++ `"Hello, World & O'Reilly\u0021"`, >>> > + `"greeting=H%69,\u0026addressee=(World)"`, >>> > + `"greeting=H%69,\u0026addressee=(World) 2x, https://golang.org/favicon.ico 500.5w"`, >>> > + `",foo/,"`, >>> > +@@ -224,7 +224,7 @@ func TestTypedContent(t *testing.T) { >>> > + `Hello, <b>World</b> &tc!`, >>> > + ` dir="ltr"`, >>> > + `c && alert("Hello, World!");`, >>> > +- `Hello, World & O'Reilly\x21`, >>> > ++ `Hello, World & O'Reilly\u0021`, >>> > + `greeting=H%69,&addressee=(World)`, >>> > + `greeting=H%69,&addressee=(World) 2x, https://golang.org/favicon.ico 500.5w`, >>> > + `,foo/,`, >>> > +@@ -233,15 +233,15 @@ func TestTypedContent(t *testing.T) { >>> > + { >>> > + `<button onclick='alert("{{.}}")'>`, >>> > + []string{ >>> > +- `\x3cb\x3e \x22foo%\x22 O\x27Reilly \x26bar;`, >>> > +- `a[href =~ \x22\/\/example.com\x22]#foo`, >>> > +- `Hello, \x3cb\x3eWorld\x3c\/b\x3e \x26amp;tc!`, >>> > +- ` dir=\x22ltr\x22`, >>> > +- `c \x26\x26 alert(\x22Hello, World!\x22);`, >>> > ++ `\u003cb\u003e \u0022foo%\u0022 O\u0027Reilly \u0026bar;`, >>> > ++ `a[href =~ \u0022\/\/example.com\u0022]#foo`, >>> > ++ `Hello, \u003cb\u003eWorld\u003c\/b\u003e \u0026amp;tc!`, >>> > ++ ` dir=\u0022ltr\u0022`, >>> > ++ `c \u0026\u0026 alert(\u0022Hello, World!\u0022);`, >>> > + // Escape sequence not over-escaped. >>> > +- `Hello, World \x26 O\x27Reilly\x21`, >>> > +- `greeting=H%69,\x26addressee=(World)`, >>> > +- `greeting=H%69,\x26addressee=(World) 2x, https:\/\/golang.org\/favicon.ico 500.5w`, >>> > ++ `Hello, World \u0026 O\u0027Reilly\u0021`, >>> > ++ `greeting=H%69,\u0026addressee=(World)`, >>> > ++ `greeting=H%69,\u0026addressee=(World) 2x, https:\/\/golang.org\/favicon.ico 500.5w`, >>> > + `,foo\/,`, >>> > + }, >>> > + }, >>> > +@@ -253,7 +253,7 @@ func TestTypedContent(t *testing.T) { >>> > + `Hello%2c%20%3cb%3eWorld%3c%2fb%3e%20%26amp%3btc%21`, >>> > + `%20dir%3d%22ltr%22`, >>> > + `c%20%26%26%20alert%28%22Hello%2c%20World%21%22%29%3b`, >>> > +- `Hello%2c%20World%20%26%20O%27Reilly%5cx21`, >>> > ++ `Hello%2c%20World%20%26%20O%27Reilly%5cu0021`, >>> > + // Quotes and parens are escaped but %69 is not over-escaped. HTML escaping is done. >>> > + `greeting=H%69,&addressee=%28World%29`, >>> > + `greeting%3dH%2569%2c%26addressee%3d%28World%29%202x%2c%20https%3a%2f%2fgolang.org%2ffavicon.ico%20500.5w`, >>> > +@@ -268,7 +268,7 @@ func TestTypedContent(t *testing.T) { >>> > + `Hello%2c%20%3cb%3eWorld%3c%2fb%3e%20%26amp%3btc%21`, >>> > + `%20dir%3d%22ltr%22`, >>> > + `c%20%26%26%20alert%28%22Hello%2c%20World%21%22%29%3b`, >>> > +- `Hello%2c%20World%20%26%20O%27Reilly%5cx21`, >>> > ++ `Hello%2c%20World%20%26%20O%27Reilly%5cu0021`, >>> > + // Quotes and parens are escaped but %69 is not over-escaped. HTML escaping is not done. >>> > + `greeting=H%69,&addressee=%28World%29`, >>> > + `greeting%3dH%2569%2c%26addressee%3d%28World%29%202x%2c%20https%3a%2f%2fgolang.org%2ffavicon.ico%20500.5w`, >>> > +diff --git a/src/html/template/escape_test.go b/src/html/template/escape_test.go >>> > +index e72a9ba..c709660 100644 >>> > +--- a/src/html/template/escape_test.go >>> > ++++ b/src/html/template/escape_test.go >>> > +@@ -238,7 +238,7 @@ func TestEscape(t *testing.T) { >>> > + { >>> > + "jsStr", >>> > + "<button onclick='alert("{{.H}}")'>", >>> > +- `<button onclick='alert("\x3cHello\x3e")'>`, >>> > ++ `<button onclick='alert("\u003cHello\u003e")'>`, >>> > + }, >>> > + { >>> > + "badMarshaler", >>> > +@@ -259,7 +259,7 @@ func TestEscape(t *testing.T) { >>> > + { >>> > + "jsRe", >>> > + `<button onclick='alert(/{{"foo+bar"}}/.test(""))'>`, >>> > +- `<button onclick='alert(/foo\x2bbar/.test(""))'>`, >>> > ++ `<button onclick='alert(/foo\u002bbar/.test(""))'>`, >>> > + }, >>> > + { >>> > + "jsReBlank", >>> > +@@ -825,7 +825,7 @@ func TestEscapeSet(t *testing.T) { >>> > + "main": `<button onclick="title='{{template "helper"}}'; ...">{{template "helper"}}</button>`, >>> > + "helper": `{{11}} of {{"<100>"}}`, >>> > + }, >>> > +- `<button onclick="title='11 of \x3c100\x3e'; ...">11 of <100></button>`, >>> > ++ `<button onclick="title='11 of \u003c100\u003e'; ...">11 of <100></button>`, >>> > + }, >>> > + // A non-recursive template that ends in a different context. >>> > + // helper starts in jsCtxRegexp and ends in jsCtxDivOp. >>> > +diff --git a/src/html/template/example_test.go b/src/html/template/example_test.go >>> > +index 9d965f1..6cf936f 100644 >>> > +--- a/src/html/template/example_test.go >>> > ++++ b/src/html/template/example_test.go >>> > +@@ -116,9 +116,9 @@ func Example_escape() { >>> > + // "Fran & Freddie's Diner" <tasty@example.com> >>> > + // "Fran & Freddie's Diner" <tasty@example.com> >>> > + // "Fran & Freddie's Diner"32<tasty@example.com> >>> > +- // \"Fran \x26 Freddie\'s Diner\" \x3Ctasty@example.com\x3E >>> > +- // \"Fran \x26 Freddie\'s Diner\" \x3Ctasty@example.com\x3E >>> > +- // \"Fran \x26 Freddie\'s Diner\"32\x3Ctasty@example.com\x3E >>> > ++ // \"Fran \u0026 Freddie\'s Diner\" \u003Ctasty@example.com\u003E >>> > ++ // \"Fran \u0026 Freddie\'s Diner\" \u003Ctasty@example.com\u003E >>> > ++ // \"Fran \u0026 Freddie\'s Diner\"32\u003Ctasty@example.com\u003E >>> > + // %22Fran+%26+Freddie%27s+Diner%2232%3Ctasty%40example.com%3E >>> > + >>> > + } >>> > diff --git a/src/html/template/js.go b/src/html/template/js.go >>> > index 0e91458..ea9c183 100644 >>> > --- a/src/html/template/js.go >>> > @@ -173,6 +401,217 @@ index 0e91458..ea9c183 100644 >>> > '?': `\?`, >>> > '[': `\[`, >>> > '\\': `\\`, >>> > +diff --git a/src/html/template/js_test.go b/src/html/template/js_test.go >>> > +index 075adaa..d7ee47b 100644 >>> > +--- a/src/html/template/js_test.go >>> > ++++ b/src/html/template/js_test.go >>> > +@@ -137,7 +137,7 @@ func TestJSValEscaper(t *testing.T) { >>> > + {"foo", `"foo"`}, >>> > + // Newlines. >>> > + {"\r\n\u2028\u2029", `"\r\n\u2028\u2029"`}, >>> > +- // "\v" == "v" on IE 6 so use "\x0b" instead. >>> > ++ // "\v" == "v" on IE 6 so use "\u000b" instead. >>> > + {"\t\x0b", `"\t\u000b"`}, >>> > + {struct{ X, Y int }{1, 2}, `{"X":1,"Y":2}`}, >>> > + {[]interface{}{}, "[]"}, >>> > +@@ -173,7 +173,7 @@ func TestJSStrEscaper(t *testing.T) { >>> > + }{ >>> > + {"", ``}, >>> > + {"foo", `foo`}, >>> > +- {"\u0000", `\0`}, >>> > ++ {"\u0000", `\u0000`}, >>> > + {"\t", `\t`}, >>> > + {"\n", `\n`}, >>> > + {"\r", `\r`}, >>> > +@@ -183,14 +183,14 @@ func TestJSStrEscaper(t *testing.T) { >>> > + {"\\n", `\\n`}, >>> > + {"foo\r\nbar", `foo\r\nbar`}, >>> > + // Preserve attribute boundaries. >>> > +- {`"`, `\x22`}, >>> > +- {`'`, `\x27`}, >>> > ++ {`"`, `\u0022`}, >>> > ++ {`'`, `\u0027`}, >>> > + // Allow embedding in HTML without further escaping. >>> > +- {`&`, `\x26amp;`}, >>> > ++ {`&`, `\u0026amp;`}, >>> > + // Prevent breaking out of text node and element boundaries. >>> > +- {"</script>", `\x3c\/script\x3e`}, >>> > +- {"<![CDATA[", `\x3c![CDATA[`}, >>> > +- {"]]>", `]]\x3e`}, >>> > ++ {"</script>", `\u003c\/script\u003e`}, >>> > ++ {"<![CDATA[", `\u003c![CDATA[`}, >>> > ++ {"]]>", `]]\u003e`}, >>> > + // https://dev.w3.org/html5/markup/aria/syntax.html#escaping-text-span >>> > + // "The text in style, script, title, and textarea elements >>> > + // must not have an escaping text span start that is not >>> > +@@ -201,11 +201,11 @@ func TestJSStrEscaper(t *testing.T) { >>> > + // allow regular text content to be interpreted as script >>> > + // allowing script execution via a combination of a JS string >>> > + // injection followed by an HTML text injection. >>> > +- {"<!--", `\x3c!--`}, >>> > +- {"-->", `--\x3e`}, >>> > ++ {"<!--", `\u003c!--`}, >>> > ++ {"-->", `--\u003e`}, >>> > + // From https://code.google.com/p/doctype/wiki/ArticleUtf7 >>> > + {"+ADw-script+AD4-alert(1)+ADw-/script+AD4-", >>> > +- `\x2bADw-script\x2bAD4-alert(1)\x2bADw-\/script\x2bAD4-`, >>> > ++ `\u002bADw-script\u002bAD4-alert(1)\u002bADw-\/script\u002bAD4-`, >>> > + }, >>> > + // Invalid UTF-8 sequence >>> > + {"foo\xA0bar", "foo\xA0bar"}, >>> > +@@ -228,7 +228,7 @@ func TestJSRegexpEscaper(t *testing.T) { >>> > + }{ >>> > + {"", `(?:)`}, >>> > + {"foo", `foo`}, >>> > +- {"\u0000", `\0`}, >>> > ++ {"\u0000", `\u0000`}, >>> > + {"\t", `\t`}, >>> > + {"\n", `\n`}, >>> > + {"\r", `\r`}, >>> > +@@ -238,19 +238,19 @@ func TestJSRegexpEscaper(t *testing.T) { >>> > + {"\\n", `\\n`}, >>> > + {"foo\r\nbar", `foo\r\nbar`}, >>> > + // Preserve attribute boundaries. >>> > +- {`"`, `\x22`}, >>> > +- {`'`, `\x27`}, >>> > ++ {`"`, `\u0022`}, >>> > ++ {`'`, `\u0027`}, >>> > + // Allow embedding in HTML without further escaping. >>> > +- {`&`, `\x26amp;`}, >>> > ++ {`&`, `\u0026amp;`}, >>> > + // Prevent breaking out of text node and element boundaries. >>> > +- {"</script>", `\x3c\/script\x3e`}, >>> > +- {"<![CDATA[", `\x3c!\[CDATA\[`}, >>> > +- {"]]>", `\]\]\x3e`}, >>> > ++ {"</script>", `\u003c\/script\u003e`}, >>> > ++ {"<![CDATA[", `\u003c!\[CDATA\[`}, >>> > ++ {"]]>", `\]\]\u003e`}, >>> > + // Escaping text spans. >>> > +- {"<!--", `\x3c!\-\-`}, >>> > +- {"-->", `\-\-\x3e`}, >>> > ++ {"<!--", `\u003c!\-\-`}, >>> > ++ {"-->", `\-\-\u003e`}, >>> > + {"*", `\*`}, >>> > +- {"+", `\x2b`}, >>> > ++ {"+", `\u002b`}, >>> > + {"?", `\?`}, >>> > + {"[](){}", `\[\]\(\)\{\}`}, >>> > + {"$foo|x.y", `\$foo\|x\.y`}, >>> > +@@ -284,27 +284,27 @@ func TestEscapersOnLower7AndSelectHighCodepoints(t *testing.T) { >>> > + { >>> > + "jsStrEscaper", >>> > + jsStrEscaper, >>> > +- "\\0\x01\x02\x03\x04\x05\x06\x07" + >>> > +- "\x08\\t\\n\\x0b\\f\\r\x0E\x0F" + >>> > +- "\x10\x11\x12\x13\x14\x15\x16\x17" + >>> > +- "\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" + >>> > +- ` !\x22#$%\x26\x27()*\x2b,-.\/` + >>> > +- `0123456789:;\x3c=\x3e?` + >>> > ++ `\u0000\u0001\u0002\u0003\u0004\u0005\u0006\u0007` + >>> > ++ `\u0008\t\n\u000b\f\r\u000e\u000f` + >>> > ++ `\u0010\u0011\u0012\u0013\u0014\u0015\u0016\u0017` + >>> > ++ `\u0018\u0019\u001a\u001b\u001c\u001d\u001e\u001f` + >>> > ++ ` !\u0022#$%\u0026\u0027()*\u002b,-.\/` + >>> > ++ `0123456789:;\u003c=\u003e?` + >>> > + `@ABCDEFGHIJKLMNO` + >>> > + `PQRSTUVWXYZ[\\]^_` + >>> > + "`abcdefghijklmno" + >>> > +- "pqrstuvwxyz{|}~\x7f" + >>> > ++ "pqrstuvwxyz{|}~\u007f" + >>> > + "\u00A0\u0100\\u2028\\u2029\ufeff\U0001D11E", >>> > + }, >>> > + { >>> > + "jsRegexpEscaper", >>> > + jsRegexpEscaper, >>> > +- "\\0\x01\x02\x03\x04\x05\x06\x07" + >>> > +- "\x08\\t\\n\\x0b\\f\\r\x0E\x0F" + >>> > +- "\x10\x11\x12\x13\x14\x15\x16\x17" + >>> > +- "\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" + >>> > +- ` !\x22#\$%\x26\x27\(\)\*\x2b,\-\.\/` + >>> > +- `0123456789:;\x3c=\x3e\?` + >>> > ++ `\u0000\u0001\u0002\u0003\u0004\u0005\u0006\u0007` + >>> > ++ `\u0008\t\n\u000b\f\r\u000e\u000f` + >>> > ++ `\u0010\u0011\u0012\u0013\u0014\u0015\u0016\u0017` + >>> > ++ `\u0018\u0019\u001a\u001b\u001c\u001d\u001e\u001f` + >>> > ++ ` !\u0022#\$%\u0026\u0027\(\)\*\u002b,\-\.\/` + >>> > ++ `0123456789:;\u003c=\u003e\?` + >>> > + `@ABCDEFGHIJKLMNO` + >>> > + `PQRSTUVWXYZ\[\\\]\^_` + >>> > + "`abcdefghijklmno" + >>> > +diff --git a/src/html/template/template_test.go b/src/html/template/template_test.go >>> > +index 13e6ba4..86bd4db 100644 >>> > +--- a/src/html/template/template_test.go >>> > ++++ b/src/html/template/template_test.go >>> > +@@ -6,6 +6,7 @@ package template_test >>> > + >>> > + import ( >>> > + "bytes" >>> > ++ "encoding/json" >>> > + . "html/template" >>> > + "strings" >>> > + "testing" >>> > +@@ -121,6 +122,44 @@ func TestNumbers(t *testing.T) { >>> > + c.mustExecute(c.root, nil, "12.34 7.5") >>> > + } >>> > + >>> > ++func TestStringsInScriptsWithJsonContentTypeAreCorrectlyEscaped(t *testing.T) { >>> > ++ // See #33671 and #37634 for more context on this. >>> > ++ tests := []struct{ name, in string }{ >>> > ++ {"empty", ""}, >>> > ++ {"invalid", string(rune(-1))}, >>> > ++ {"null", "\u0000"}, >>> > ++ {"unit separator", "\u001F"}, >>> > ++ {"tab", "\t"}, >>> > ++ {"gt and lt", "<>"}, >>> > ++ {"quotes", `'"`}, >>> > ++ {"ASCII letters", "ASCII letters"}, >>> > ++ {"Unicode", "ʕ⊙ϖ⊙ʔ"}, >>> > ++ {"Pizza", "
Hi Steve,
Thank you so much for sharing the patchwork link. I have figured out the
problem!
Issue is due to a Special Character used in the golang/go upstream
repository. Below are the details:
To fix the CVE-2023-24538 in Dunfell, a dependent patch
https://github.com/golang/go/commit/d4d298040d needs to be backported (I
have backported as CVE-2023-24538-2.patch). This patch includes a Special
character line {"Pizza", "
diff --git a/meta/recipes-devtools/go/go-1.14.inc b/meta/recipes-devtools/go/go-1.14.inc index be63f64825..091b778de8 100644 --- a/meta/recipes-devtools/go/go-1.14.inc +++ b/meta/recipes-devtools/go/go-1.14.inc @@ -60,7 +60,10 @@ SRC_URI += "\ file://CVE-2023-24534.patch \ file://CVE-2023-24538-1.patch \ file://CVE-2023-24538-2.patch \ - file://CVE-2023-24538-3.patch \ + file://CVE-2023-24538_3.patch \ + file://CVE-2023-24538_4.patch \ + file://CVE-2023-24538_5.patch \ + file://CVE-2023-24538_6.patch \ file://CVE-2023-24539.patch \ file://CVE-2023-24540.patch \ file://CVE-2023-29405-1.patch \ diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-1.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-1.patch index eda26e5ff6..23c5075e41 100644 --- a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-1.patch +++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-1.patch @@ -1,7 +1,7 @@ From 8acd01094d9ee17f6e763a61e49a8a808b3a9ddb Mon Sep 17 00:00:00 2001 From: Brad Fitzpatrick <bradfitz@golang.org> Date: Mon, 2 Aug 2021 14:55:51 -0700 -Subject: [PATCH 1/3] net/netip: add new IP address package +Subject: [PATCH 1/6] net/netip: add new IP address package Co-authored-by: Alex Willmer <alex@moreati.org.uk> (GitHub @moreati) Co-authored-by: Alexander Yastrebov <yastrebov.alex@gmail.com> @@ -31,7 +31,7 @@ Trust: Brad Fitzpatrick <bradfitz@golang.org> Dependency Patch #1 -Upstream-Status: Backport [https://github.com/golang/go/commit/a59e33224e42d60a97fa720a45e1b74eb6aaa3d0] +Upstream-Status: Backport from https://github.com/golang/go/commit/a59e33224e42d60a97fa720a45e1b74eb6aaa3d0 CVE: CVE-2023-24538 Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> --- diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch index 5036f2890b..3840617a32 100644 --- a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch +++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch @@ -1,7 +1,7 @@ From 6fc21505614f36178df0dad7034b6b8e3f7588d5 Mon Sep 17 00:00:00 2001 From: empijei <robclap8@gmail.com> Date: Fri, 27 Mar 2020 19:27:55 +0100 -Subject: [PATCH 2/3] html/template,text/template: switch to Unicode escapes +Subject: [PATCH 2/6] html/template,text/template: switch to Unicode escapes for JSON compatibility MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -31,10 +31,238 @@ Upstream-Status: Backport from https://github.com/golang/go/commit/d4d298040d072 CVE: CVE-2023-24538 Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> --- - src/html/template/js.go | 70 +++++++++++++++++++++++++++------------------- - src/text/template/funcs.go | 8 +++--- - 2 files changed, 46 insertions(+), 32 deletions(-) + src/html/template/content_test.go | 70 +++++++++++++++++++------------------- + src/html/template/escape_test.go | 6 ++-- + src/html/template/example_test.go | 6 ++-- + src/html/template/js.go | 70 +++++++++++++++++++++++--------------- + src/html/template/js_test.go | 68 ++++++++++++++++++------------------ + src/html/template/template_test.go | 39 +++++++++++++++++++++ + src/text/template/exec_test.go | 6 ++-- + src/text/template/funcs.go | 8 ++--- + 8 files changed, 163 insertions(+), 110 deletions(-) +diff --git a/src/html/template/content_test.go b/src/html/template/content_test.go +index 72d56f5..bd86527 100644 +--- a/src/html/template/content_test.go ++++ b/src/html/template/content_test.go +@@ -18,7 +18,7 @@ func TestTypedContent(t *testing.T) { + HTML(`Hello, <b>World</b> &tc!`), + HTMLAttr(` dir="ltr"`), + JS(`c && alert("Hello, World!");`), +- JSStr(`Hello, World & O'Reilly\x21`), ++ JSStr(`Hello, World & O'Reilly\u0021`), + URL(`greeting=H%69,&addressee=(World)`), + Srcset(`greeting=H%69,&addressee=(World) 2x, https://golang.org/favicon.ico 500.5w`), + URL(`,foo/,`), +@@ -70,7 +70,7 @@ func TestTypedContent(t *testing.T) { + `Hello, <b>World</b> &tc!`, + ` dir="ltr"`, + `c && alert("Hello, World!");`, +- `Hello, World & O'Reilly\x21`, ++ `Hello, World & O'Reilly\u0021`, + `greeting=H%69,&addressee=(World)`, + `greeting=H%69,&addressee=(World) 2x, https://golang.org/favicon.ico 500.5w`, + `,foo/,`, +@@ -100,7 +100,7 @@ func TestTypedContent(t *testing.T) { + `Hello, World &tc!`, + ` dir="ltr"`, + `c && alert("Hello, World!");`, +- `Hello, World & O'Reilly\x21`, ++ `Hello, World & O'Reilly\u0021`, + `greeting=H%69,&addressee=(World)`, + `greeting=H%69,&addressee=(World) 2x, https://golang.org/favicon.ico 500.5w`, + `,foo/,`, +@@ -115,7 +115,7 @@ func TestTypedContent(t *testing.T) { + `Hello, World &tc!`, + ` dir="ltr"`, + `c && alert("Hello, World!");`, +- `Hello, World & O'Reilly\x21`, ++ `Hello, World & O'Reilly\u0021`, + `greeting=H%69,&addressee=(World)`, + `greeting=H%69,&addressee=(World) 2x, https://golang.org/favicon.ico 500.5w`, + `,foo/,`, +@@ -130,7 +130,7 @@ func TestTypedContent(t *testing.T) { + `Hello, <b>World</b> &tc!`, + ` dir="ltr"`, + `c && alert("Hello, World!");`, +- `Hello, World & O'Reilly\x21`, ++ `Hello, World & O'Reilly\u0021`, + `greeting=H%69,&addressee=(World)`, + `greeting=H%69,&addressee=(World) 2x, https://golang.org/favicon.ico 500.5w`, + `,foo/,`, +@@ -146,7 +146,7 @@ func TestTypedContent(t *testing.T) { + // Not escaped. + `c && alert("Hello, World!");`, + // Escape sequence not over-escaped. +- `"Hello, World & O'Reilly\x21"`, ++ `"Hello, World & O'Reilly\u0021"`, + `"greeting=H%69,\u0026addressee=(World)"`, + `"greeting=H%69,\u0026addressee=(World) 2x, https://golang.org/favicon.ico 500.5w"`, + `",foo/,"`, +@@ -162,7 +162,7 @@ func TestTypedContent(t *testing.T) { + // Not JS escaped but HTML escaped. + `c && alert("Hello, World!");`, + // Escape sequence not over-escaped. +- `"Hello, World & O'Reilly\x21"`, ++ `"Hello, World & O'Reilly\u0021"`, + `"greeting=H%69,\u0026addressee=(World)"`, + `"greeting=H%69,\u0026addressee=(World) 2x, https://golang.org/favicon.ico 500.5w"`, + `",foo/,"`, +@@ -171,30 +171,30 @@ func TestTypedContent(t *testing.T) { + { + `<script>alert("{{.}}")</script>`, + []string{ +- `\x3cb\x3e \x22foo%\x22 O\x27Reilly \x26bar;`, +- `a[href =~ \x22\/\/example.com\x22]#foo`, +- `Hello, \x3cb\x3eWorld\x3c\/b\x3e \x26amp;tc!`, +- ` dir=\x22ltr\x22`, +- `c \x26\x26 alert(\x22Hello, World!\x22);`, ++ `\u003cb\u003e \u0022foo%\u0022 O\u0027Reilly \u0026bar;`, ++ `a[href =~ \u0022\/\/example.com\u0022]#foo`, ++ `Hello, \u003cb\u003eWorld\u003c\/b\u003e \u0026amp;tc!`, ++ ` dir=\u0022ltr\u0022`, ++ `c \u0026\u0026 alert(\u0022Hello, World!\u0022);`, + // Escape sequence not over-escaped. +- `Hello, World \x26 O\x27Reilly\x21`, +- `greeting=H%69,\x26addressee=(World)`, +- `greeting=H%69,\x26addressee=(World) 2x, https:\/\/golang.org\/favicon.ico 500.5w`, ++ `Hello, World \u0026 O\u0027Reilly\u0021`, ++ `greeting=H%69,\u0026addressee=(World)`, ++ `greeting=H%69,\u0026addressee=(World) 2x, https:\/\/golang.org\/favicon.ico 500.5w`, + `,foo\/,`, + }, + }, + { + `<script type="text/javascript">alert("{{.}}")</script>`, + []string{ +- `\x3cb\x3e \x22foo%\x22 O\x27Reilly \x26bar;`, +- `a[href =~ \x22\/\/example.com\x22]#foo`, +- `Hello, \x3cb\x3eWorld\x3c\/b\x3e \x26amp;tc!`, +- ` dir=\x22ltr\x22`, +- `c \x26\x26 alert(\x22Hello, World!\x22);`, ++ `\u003cb\u003e \u0022foo%\u0022 O\u0027Reilly \u0026bar;`, ++ `a[href =~ \u0022\/\/example.com\u0022]#foo`, ++ `Hello, \u003cb\u003eWorld\u003c\/b\u003e \u0026amp;tc!`, ++ ` dir=\u0022ltr\u0022`, ++ `c \u0026\u0026 alert(\u0022Hello, World!\u0022);`, + // Escape sequence not over-escaped. +- `Hello, World \x26 O\x27Reilly\x21`, +- `greeting=H%69,\x26addressee=(World)`, +- `greeting=H%69,\x26addressee=(World) 2x, https:\/\/golang.org\/favicon.ico 500.5w`, ++ `Hello, World \u0026 O\u0027Reilly\u0021`, ++ `greeting=H%69,\u0026addressee=(World)`, ++ `greeting=H%69,\u0026addressee=(World) 2x, https:\/\/golang.org\/favicon.ico 500.5w`, + `,foo\/,`, + }, + }, +@@ -208,7 +208,7 @@ func TestTypedContent(t *testing.T) { + // Not escaped. + `c && alert("Hello, World!");`, + // Escape sequence not over-escaped. +- `"Hello, World & O'Reilly\x21"`, ++ `"Hello, World & O'Reilly\u0021"`, + `"greeting=H%69,\u0026addressee=(World)"`, + `"greeting=H%69,\u0026addressee=(World) 2x, https://golang.org/favicon.ico 500.5w"`, + `",foo/,"`, +@@ -224,7 +224,7 @@ func TestTypedContent(t *testing.T) { + `Hello, <b>World</b> &tc!`, + ` dir="ltr"`, + `c && alert("Hello, World!");`, +- `Hello, World & O'Reilly\x21`, ++ `Hello, World & O'Reilly\u0021`, + `greeting=H%69,&addressee=(World)`, + `greeting=H%69,&addressee=(World) 2x, https://golang.org/favicon.ico 500.5w`, + `,foo/,`, +@@ -233,15 +233,15 @@ func TestTypedContent(t *testing.T) { + { + `<button onclick='alert("{{.}}")'>`, + []string{ +- `\x3cb\x3e \x22foo%\x22 O\x27Reilly \x26bar;`, +- `a[href =~ \x22\/\/example.com\x22]#foo`, +- `Hello, \x3cb\x3eWorld\x3c\/b\x3e \x26amp;tc!`, +- ` dir=\x22ltr\x22`, +- `c \x26\x26 alert(\x22Hello, World!\x22);`, ++ `\u003cb\u003e \u0022foo%\u0022 O\u0027Reilly \u0026bar;`, ++ `a[href =~ \u0022\/\/example.com\u0022]#foo`, ++ `Hello, \u003cb\u003eWorld\u003c\/b\u003e \u0026amp;tc!`, ++ ` dir=\u0022ltr\u0022`, ++ `c \u0026\u0026 alert(\u0022Hello, World!\u0022);`, + // Escape sequence not over-escaped. +- `Hello, World \x26 O\x27Reilly\x21`, +- `greeting=H%69,\x26addressee=(World)`, +- `greeting=H%69,\x26addressee=(World) 2x, https:\/\/golang.org\/favicon.ico 500.5w`, ++ `Hello, World \u0026 O\u0027Reilly\u0021`, ++ `greeting=H%69,\u0026addressee=(World)`, ++ `greeting=H%69,\u0026addressee=(World) 2x, https:\/\/golang.org\/favicon.ico 500.5w`, + `,foo\/,`, + }, + }, +@@ -253,7 +253,7 @@ func TestTypedContent(t *testing.T) { + `Hello%2c%20%3cb%3eWorld%3c%2fb%3e%20%26amp%3btc%21`, + `%20dir%3d%22ltr%22`, + `c%20%26%26%20alert%28%22Hello%2c%20World%21%22%29%3b`, +- `Hello%2c%20World%20%26%20O%27Reilly%5cx21`, ++ `Hello%2c%20World%20%26%20O%27Reilly%5cu0021`, + // Quotes and parens are escaped but %69 is not over-escaped. HTML escaping is done. + `greeting=H%69,&addressee=%28World%29`, + `greeting%3dH%2569%2c%26addressee%3d%28World%29%202x%2c%20https%3a%2f%2fgolang.org%2ffavicon.ico%20500.5w`, +@@ -268,7 +268,7 @@ func TestTypedContent(t *testing.T) { + `Hello%2c%20%3cb%3eWorld%3c%2fb%3e%20%26amp%3btc%21`, + `%20dir%3d%22ltr%22`, + `c%20%26%26%20alert%28%22Hello%2c%20World%21%22%29%3b`, +- `Hello%2c%20World%20%26%20O%27Reilly%5cx21`, ++ `Hello%2c%20World%20%26%20O%27Reilly%5cu0021`, + // Quotes and parens are escaped but %69 is not over-escaped. HTML escaping is not done. + `greeting=H%69,&addressee=%28World%29`, + `greeting%3dH%2569%2c%26addressee%3d%28World%29%202x%2c%20https%3a%2f%2fgolang.org%2ffavicon.ico%20500.5w`, +diff --git a/src/html/template/escape_test.go b/src/html/template/escape_test.go +index e72a9ba..c709660 100644 +--- a/src/html/template/escape_test.go ++++ b/src/html/template/escape_test.go +@@ -238,7 +238,7 @@ func TestEscape(t *testing.T) { + { + "jsStr", + "<button onclick='alert("{{.H}}")'>", +- `<button onclick='alert("\x3cHello\x3e")'>`, ++ `<button onclick='alert("\u003cHello\u003e")'>`, + }, + { + "badMarshaler", +@@ -259,7 +259,7 @@ func TestEscape(t *testing.T) { + { + "jsRe", + `<button onclick='alert(/{{"foo+bar"}}/.test(""))'>`, +- `<button onclick='alert(/foo\x2bbar/.test(""))'>`, ++ `<button onclick='alert(/foo\u002bbar/.test(""))'>`, + }, + { + "jsReBlank", +@@ -825,7 +825,7 @@ func TestEscapeSet(t *testing.T) { + "main": `<button onclick="title='{{template "helper"}}'; ...">{{template "helper"}}</button>`, + "helper": `{{11}} of {{"<100>"}}`, + }, +- `<button onclick="title='11 of \x3c100\x3e'; ...">11 of <100></button>`, ++ `<button onclick="title='11 of \u003c100\u003e'; ...">11 of <100></button>`, + }, + // A non-recursive template that ends in a different context. + // helper starts in jsCtxRegexp and ends in jsCtxDivOp. +diff --git a/src/html/template/example_test.go b/src/html/template/example_test.go +index 9d965f1..6cf936f 100644 +--- a/src/html/template/example_test.go ++++ b/src/html/template/example_test.go +@@ -116,9 +116,9 @@ func Example_escape() { + // "Fran & Freddie's Diner" <tasty@example.com> + // "Fran & Freddie's Diner" <tasty@example.com> + // "Fran & Freddie's Diner"32<tasty@example.com> +- // \"Fran \x26 Freddie\'s Diner\" \x3Ctasty@example.com\x3E +- // \"Fran \x26 Freddie\'s Diner\" \x3Ctasty@example.com\x3E +- // \"Fran \x26 Freddie\'s Diner\"32\x3Ctasty@example.com\x3E ++ // \"Fran \u0026 Freddie\'s Diner\" \u003Ctasty@example.com\u003E ++ // \"Fran \u0026 Freddie\'s Diner\" \u003Ctasty@example.com\u003E ++ // \"Fran \u0026 Freddie\'s Diner\"32\u003Ctasty@example.com\u003E + // %22Fran+%26+Freddie%27s+Diner%2232%3Ctasty%40example.com%3E + + } diff --git a/src/html/template/js.go b/src/html/template/js.go index 0e91458..ea9c183 100644 --- a/src/html/template/js.go @@ -173,6 +401,217 @@ index 0e91458..ea9c183 100644 '?': `\?`, '[': `\[`, '\\': `\\`, +diff --git a/src/html/template/js_test.go b/src/html/template/js_test.go +index 075adaa..d7ee47b 100644 +--- a/src/html/template/js_test.go ++++ b/src/html/template/js_test.go +@@ -137,7 +137,7 @@ func TestJSValEscaper(t *testing.T) { + {"foo", `"foo"`}, + // Newlines. + {"\r\n\u2028\u2029", `"\r\n\u2028\u2029"`}, +- // "\v" == "v" on IE 6 so use "\x0b" instead. ++ // "\v" == "v" on IE 6 so use "\u000b" instead. + {"\t\x0b", `"\t\u000b"`}, + {struct{ X, Y int }{1, 2}, `{"X":1,"Y":2}`}, + {[]interface{}{}, "[]"}, +@@ -173,7 +173,7 @@ func TestJSStrEscaper(t *testing.T) { + }{ + {"", ``}, + {"foo", `foo`}, +- {"\u0000", `\0`}, ++ {"\u0000", `\u0000`}, + {"\t", `\t`}, + {"\n", `\n`}, + {"\r", `\r`}, +@@ -183,14 +183,14 @@ func TestJSStrEscaper(t *testing.T) { + {"\\n", `\\n`}, + {"foo\r\nbar", `foo\r\nbar`}, + // Preserve attribute boundaries. +- {`"`, `\x22`}, +- {`'`, `\x27`}, ++ {`"`, `\u0022`}, ++ {`'`, `\u0027`}, + // Allow embedding in HTML without further escaping. +- {`&`, `\x26amp;`}, ++ {`&`, `\u0026amp;`}, + // Prevent breaking out of text node and element boundaries. +- {"</script>", `\x3c\/script\x3e`}, +- {"<![CDATA[", `\x3c![CDATA[`}, +- {"]]>", `]]\x3e`}, ++ {"</script>", `\u003c\/script\u003e`}, ++ {"<![CDATA[", `\u003c![CDATA[`}, ++ {"]]>", `]]\u003e`}, + // https://dev.w3.org/html5/markup/aria/syntax.html#escaping-text-span + // "The text in style, script, title, and textarea elements + // must not have an escaping text span start that is not +@@ -201,11 +201,11 @@ func TestJSStrEscaper(t *testing.T) { + // allow regular text content to be interpreted as script + // allowing script execution via a combination of a JS string + // injection followed by an HTML text injection. +- {"<!--", `\x3c!--`}, +- {"-->", `--\x3e`}, ++ {"<!--", `\u003c!--`}, ++ {"-->", `--\u003e`}, + // From https://code.google.com/p/doctype/wiki/ArticleUtf7 + {"+ADw-script+AD4-alert(1)+ADw-/script+AD4-", +- `\x2bADw-script\x2bAD4-alert(1)\x2bADw-\/script\x2bAD4-`, ++ `\u002bADw-script\u002bAD4-alert(1)\u002bADw-\/script\u002bAD4-`, + }, + // Invalid UTF-8 sequence + {"foo\xA0bar", "foo\xA0bar"}, +@@ -228,7 +228,7 @@ func TestJSRegexpEscaper(t *testing.T) { + }{ + {"", `(?:)`}, + {"foo", `foo`}, +- {"\u0000", `\0`}, ++ {"\u0000", `\u0000`}, + {"\t", `\t`}, + {"\n", `\n`}, + {"\r", `\r`}, +@@ -238,19 +238,19 @@ func TestJSRegexpEscaper(t *testing.T) { + {"\\n", `\\n`}, + {"foo\r\nbar", `foo\r\nbar`}, + // Preserve attribute boundaries. +- {`"`, `\x22`}, +- {`'`, `\x27`}, ++ {`"`, `\u0022`}, ++ {`'`, `\u0027`}, + // Allow embedding in HTML without further escaping. +- {`&`, `\x26amp;`}, ++ {`&`, `\u0026amp;`}, + // Prevent breaking out of text node and element boundaries. +- {"</script>", `\x3c\/script\x3e`}, +- {"<![CDATA[", `\x3c!\[CDATA\[`}, +- {"]]>", `\]\]\x3e`}, ++ {"</script>", `\u003c\/script\u003e`}, ++ {"<![CDATA[", `\u003c!\[CDATA\[`}, ++ {"]]>", `\]\]\u003e`}, + // Escaping text spans. +- {"<!--", `\x3c!\-\-`}, +- {"-->", `\-\-\x3e`}, ++ {"<!--", `\u003c!\-\-`}, ++ {"-->", `\-\-\u003e`}, + {"*", `\*`}, +- {"+", `\x2b`}, ++ {"+", `\u002b`}, + {"?", `\?`}, + {"[](){}", `\[\]\(\)\{\}`}, + {"$foo|x.y", `\$foo\|x\.y`}, +@@ -284,27 +284,27 @@ func TestEscapersOnLower7AndSelectHighCodepoints(t *testing.T) { + { + "jsStrEscaper", + jsStrEscaper, +- "\\0\x01\x02\x03\x04\x05\x06\x07" + +- "\x08\\t\\n\\x0b\\f\\r\x0E\x0F" + +- "\x10\x11\x12\x13\x14\x15\x16\x17" + +- "\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" + +- ` !\x22#$%\x26\x27()*\x2b,-.\/` + +- `0123456789:;\x3c=\x3e?` + ++ `\u0000\u0001\u0002\u0003\u0004\u0005\u0006\u0007` + ++ `\u0008\t\n\u000b\f\r\u000e\u000f` + ++ `\u0010\u0011\u0012\u0013\u0014\u0015\u0016\u0017` + ++ `\u0018\u0019\u001a\u001b\u001c\u001d\u001e\u001f` + ++ ` !\u0022#$%\u0026\u0027()*\u002b,-.\/` + ++ `0123456789:;\u003c=\u003e?` + + `@ABCDEFGHIJKLMNO` + + `PQRSTUVWXYZ[\\]^_` + + "`abcdefghijklmno" + +- "pqrstuvwxyz{|}~\x7f" + ++ "pqrstuvwxyz{|}~\u007f" + + "\u00A0\u0100\\u2028\\u2029\ufeff\U0001D11E", + }, + { + "jsRegexpEscaper", + jsRegexpEscaper, +- "\\0\x01\x02\x03\x04\x05\x06\x07" + +- "\x08\\t\\n\\x0b\\f\\r\x0E\x0F" + +- "\x10\x11\x12\x13\x14\x15\x16\x17" + +- "\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" + +- ` !\x22#\$%\x26\x27\(\)\*\x2b,\-\.\/` + +- `0123456789:;\x3c=\x3e\?` + ++ `\u0000\u0001\u0002\u0003\u0004\u0005\u0006\u0007` + ++ `\u0008\t\n\u000b\f\r\u000e\u000f` + ++ `\u0010\u0011\u0012\u0013\u0014\u0015\u0016\u0017` + ++ `\u0018\u0019\u001a\u001b\u001c\u001d\u001e\u001f` + ++ ` !\u0022#\$%\u0026\u0027\(\)\*\u002b,\-\.\/` + ++ `0123456789:;\u003c=\u003e\?` + + `@ABCDEFGHIJKLMNO` + + `PQRSTUVWXYZ\[\\\]\^_` + + "`abcdefghijklmno" + +diff --git a/src/html/template/template_test.go b/src/html/template/template_test.go +index 13e6ba4..86bd4db 100644 +--- a/src/html/template/template_test.go ++++ b/src/html/template/template_test.go +@@ -6,6 +6,7 @@ package template_test + + import ( + "bytes" ++ "encoding/json" + . "html/template" + "strings" + "testing" +@@ -121,6 +122,44 @@ func TestNumbers(t *testing.T) { + c.mustExecute(c.root, nil, "12.34 7.5") + } + ++func TestStringsInScriptsWithJsonContentTypeAreCorrectlyEscaped(t *testing.T) { ++ // See #33671 and #37634 for more context on this. ++ tests := []struct{ name, in string }{ ++ {"empty", ""}, ++ {"invalid", string(rune(-1))}, ++ {"null", "\u0000"}, ++ {"unit separator", "\u001F"}, ++ {"tab", "\t"}, ++ {"gt and lt", "<>"}, ++ {"quotes", `'"`}, ++ {"ASCII letters", "ASCII letters"}, ++ {"Unicode", "ʕ⊙ϖ⊙ʔ"}, ++ {"Pizza", "