x/text: panic in language.ParseAcceptLanguage while parsing -u- extension #42535
Comments
ph1048
changed the title
cagedmantis
added
the
NeedsInvestigation
|
/cc @mpvl |
|
CVE-2020-28851 appears to have been assigned for this issue. |
|
Is a fix available for this, or any info on what version of go it will go into? Or is it just x/text that's affected and the fix will be there (may already be there)? |
|
The latest text v0.3.5 #42536 (comment) still does not have a fix for this issue. /cc @rsc |
|
Any update/ETA on this issue is appreciated. |
|
+1 -- any word on the progress of this? |
|
Discussed with @mpvl - this is in a different part of the code and still needs to be fixed. He will work on it. |
|
Change https://golang.org/cl/293549 mentions this issue: |
|
"Any update/ETA on this issue is appreciated." |
|
@Jethzabell: submitted a fix. |
|
A new tag on x/text is appreciated. |
|
+1 |
|
While we are waiting for the tag ... here is the go.mod update to pick up the fix |
|
I'm somewhat new to the Go community, but I have observed that with go1.16.2, when you run I should note: I'm aware I can change the version that is used in my |
|
Any idea when the tagged v0.3.6 version with the fix will be available? |
|
There is another urgent fix pending and will tag afterwards.
On Fri, Mar 26, 2021 at 12:06 RSAlderman ***@***.***> wrote:
Any idea when the tagged v0.3.6 version
<https://github.com/golang/text/tags> with the fix will be available?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#42535 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABRFSR6BGN6LTZHUFMVJAL3TFRTCPANCNFSM4TTEOOYA>
.
--
Marcel van Lohuizen -- Google Switzerland GmbH -- Identifikationsnummer:
CH-020.4.028.116-1
|
update text package to 0.3.6 to fix CVE CVE-2020-28851 more details at golang/go#42535 and https://bugzilla.redhat.com/show_bug.cgi?id=1922730 Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
This also fixes CVE-2020-28851. This was an off-by one error, but is fixed by handling all cases according to the spec. These valid case seem to be not used in practice much, if at all, but the main benefit is that it makes all valid BCP 47 language tags also valid -u extensions. Fixing the code to handle BCP 47 results in cleaner and seemingly more robust code. The main difference is as follows. The old impementation assumed a -u- extension of the form: <tag> "-u" { "-" <attr> } { "-" <key> "-" <type> } [ <otherExtensions> ] where <attr> and <type> are of length 3-8 and a <key> is of length 2. According to the spec, though, the format is <tag> "-u" { "-" <attr> } { "-" <key> { "-" <type> } } [ <otherExtensions> ] So every key may be associated with zero or more types, instead of exactly one. The new code now handles this. The language.Tag.TypeForKey method is now defined to only return the first entry or nothing at all. This is for backwards compatibilty reasons. Fixes golang/go#42535 Change-Id: I23aec4e1c4d8807fc2ffc0eb3a08de2d8150219f Reviewed-on: https://go-review.googlesource.com/c/text/+/293549 Trust: Marcel van Lohuizen <mpvl@golang.org> Run-TryBot: Marcel van Lohuizen <mpvl@golang.org> TryBot-Result: Go Bot <gobot@golang.org> Reviewed-by: Russ Cox <rsc@golang.org>
What version of Go are you using (
go version)?Does this issue reproduce with the latest release?
What operating system and processor architecture are you using (
go env)?go envOutputWhat did you do?
https://play.golang.org/p/FCHj_rCBdiH
What did you expect to see?
Error via return value
What did you see instead?
The text was updated successfully, but these errors were encountered: