New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
net/url: JoinPath doesn't strip relative path components in all circumstances [1.19 backport] #54635
Labels
CherryPickApproved
Used during the release process for point releases
FrozenDueToAge
release-blocker
Security
Milestone
Comments
gopherbot
added
the
CherryPickCandidate
Used during the release process for point releases
label
Aug 23, 2022
dr2chase
added
the
CherryPickApproved
Used during the release process for point releases
label
Aug 24, 2022
gopherbot
removed
the
CherryPickCandidate
Used during the release process for point releases
label
Aug 24, 2022
Change https://go.dev/cl/425357 mentions this issue: |
Closed by merging 2833550 to release-branch.go1.19. |
gopherbot
pushed a commit
that referenced
this issue
Aug 29, 2022
…JoinPath JoinPath would fail to remove relative elements from the start of the path when the first path element is "". In addition, JoinPath would return the original path unmodified when provided with no elements to join, violating the documented behavior of always cleaning the resulting path. Correct both these cases. JoinPath("http://go.dev", "../go") // before: http://go.dev/../go // after: http://go.dev/go JoinPath("http://go.dev/../go") // before: http://go.dev/../go // after: http://go.dev/go For #54385. Fixes #54635. Fixes CVE-2022-32190. Change-Id: I6d22cd160d097c50703dd96e4f453c6c118fd5d9 Reviewed-on: https://go-review.googlesource.com/c/go/+/423514 Reviewed-by: David Chase <drchase@google.com> Reviewed-by: Alan Donovan <adonovan@google.com> (cherry picked from commit 0765da5) Reviewed-on: https://go-review.googlesource.com/c/go/+/425357 Run-TryBot: Damien Neil <dneil@google.com> TryBot-Result: Gopher Robot <gobot@golang.org>
bradfitz
pushed a commit
to tailscale/go
that referenced
this issue
Sep 8, 2022
…JoinPath JoinPath would fail to remove relative elements from the start of the path when the first path element is "". In addition, JoinPath would return the original path unmodified when provided with no elements to join, violating the documented behavior of always cleaning the resulting path. Correct both these cases. JoinPath("http://go.dev", "../go") // before: http://go.dev/../go // after: http://go.dev/go JoinPath("http://go.dev/../go") // before: http://go.dev/../go // after: http://go.dev/go For golang#54385. Fixes golang#54635. Fixes CVE-2022-32190. Change-Id: I6d22cd160d097c50703dd96e4f453c6c118fd5d9 Reviewed-on: https://go-review.googlesource.com/c/go/+/423514 Reviewed-by: David Chase <drchase@google.com> Reviewed-by: Alan Donovan <adonovan@google.com> (cherry picked from commit 0765da5) Reviewed-on: https://go-review.googlesource.com/c/go/+/425357 Run-TryBot: Damien Neil <dneil@google.com> TryBot-Result: Gopher Robot <gobot@golang.org>
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
CherryPickApproved
Used during the release process for point releases
FrozenDueToAge
release-blocker
Security
@neild requested issue #54385 to be considered for backport to the next 1.19 minor release.
The text was updated successfully, but these errors were encountered: