net/url: JoinPath doesn't strip relative path components in all circumstances [1.19 backport] #54635

gopherbot · 2022-08-23T22:01:59Z

@neild requested issue #54385 to be considered for backport to the next 1.19 minor release.

@gopherbot please open backport issues.

gopherbot · 2022-08-24T18:19:19Z

Change https://go.dev/cl/425357 mentions this issue: [release-branch.go1.19] net/url: consistently remove ../ elements in JoinPath

gopherbot · 2022-08-29T19:14:20Z

Closed by merging 2833550 to release-branch.go1.19.

…JoinPath JoinPath would fail to remove relative elements from the start of the path when the first path element is "". In addition, JoinPath would return the original path unmodified when provided with no elements to join, violating the documented behavior of always cleaning the resulting path. Correct both these cases. JoinPath("http://go.dev", "../go") // before: http://go.dev/../go // after: http://go.dev/go JoinPath("http://go.dev/../go") // before: http://go.dev/../go // after: http://go.dev/go For #54385. Fixes #54635. Fixes CVE-2022-32190. Change-Id: I6d22cd160d097c50703dd96e4f453c6c118fd5d9 Reviewed-on: https://go-review.googlesource.com/c/go/+/423514 Reviewed-by: David Chase <drchase@google.com> Reviewed-by: Alan Donovan <adonovan@google.com> (cherry picked from commit 0765da5) Reviewed-on: https://go-review.googlesource.com/c/go/+/425357 Run-TryBot: Damien Neil <dneil@google.com> TryBot-Result: Gopher Robot <gobot@golang.org>

…JoinPath JoinPath would fail to remove relative elements from the start of the path when the first path element is "". In addition, JoinPath would return the original path unmodified when provided with no elements to join, violating the documented behavior of always cleaning the resulting path. Correct both these cases. JoinPath("http://go.dev", "../go") // before: http://go.dev/../go // after: http://go.dev/go JoinPath("http://go.dev/../go") // before: http://go.dev/../go // after: http://go.dev/go For golang#54385. Fixes golang#54635. Fixes CVE-2022-32190. Change-Id: I6d22cd160d097c50703dd96e4f453c6c118fd5d9 Reviewed-on: https://go-review.googlesource.com/c/go/+/423514 Reviewed-by: David Chase <drchase@google.com> Reviewed-by: Alan Donovan <adonovan@google.com> (cherry picked from commit 0765da5) Reviewed-on: https://go-review.googlesource.com/c/go/+/425357 Run-TryBot: Damien Neil <dneil@google.com> TryBot-Result: Gopher Robot <gobot@golang.org>

gopherbot added the CherryPickCandidate Used during the release process for point releases label Aug 23, 2022

gopherbot mentioned this issue Aug 23, 2022

net/url: JoinPath doesn't strip relative path components in all circumstances #54385

Closed

gopherbot added this to the Go1.19.1 milestone Aug 23, 2022

dr2chase added the CherryPickApproved Used during the release process for point releases label Aug 24, 2022

gopherbot removed the CherryPickCandidate Used during the release process for point releases label Aug 24, 2022

neild added Security release-blocker labels Aug 24, 2022

gopherbot closed this as completed Aug 29, 2022

s-l-teichmann mentioned this issue Sep 7, 2022

Remove old url.JoinPath code csaf-poc/csaf_distribution#294

Closed

golang locked and limited conversation to collaborators Aug 29, 2023

gopherbot added the FrozenDueToAge label Aug 29, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

net/url: JoinPath doesn't strip relative path components in all circumstances [1.19 backport] #54635

net/url: JoinPath doesn't strip relative path components in all circumstances [1.19 backport] #54635

gopherbot commented Aug 23, 2022

gopherbot commented Aug 24, 2022

gopherbot commented Aug 29, 2022

net/url: JoinPath doesn't strip relative path components in all circumstances [1.19 backport] #54635

net/url: JoinPath doesn't strip relative path components in all circumstances [1.19 backport] #54635

Comments

gopherbot commented Aug 23, 2022

gopherbot commented Aug 24, 2022

gopherbot commented Aug 29, 2022