You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
go env is documented as outputting a shell script containing Go the environment:
$ go help env
By default env prints information as a shell script
(on Windows, a batch file). If one or more variable
names is given as arguments, env prints the value of
each named variable on its own line.
However, go env doesn't sanitize values, so executing its output as a shell script can cause various bad bahaviors, including executing arbitrary commands:
In general, if an attacker can set arbitrary environment variables on a system, they have better attack vectors than making go env print them out, but we still should be sanitizing the output here. Treating this as a PUBLIC track vulnerability because the scenarios where this results in a vulnerability are fairly artificial, and the correct fix is not immediately obvious. (Properly quoting values seems like an obvious fix, but shell quoting is subtle.)
When 'go env' without an argument prints environment variables as
a script which can be executed by the shell, variables with a
list value in Plan 9 (such as GOPATH) need to be printed with each
element enclosed in single quotes in case it contains characters
significant to the Plan 9 shell (such as ' ' or '=').
For #58508
Change-Id: Ia30f51307cc6d07a7e3ada6bf9d60bf9951982ff
Reviewed-on: https://go-review.googlesource.com/c/go/+/493535
Run-TryBot: Cherry Mui <cherryyz@google.com>
Reviewed-by: Cherry Mui <cherryyz@google.com>
Reviewed-by: Russ Cox <rsc@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Auto-Submit: Dmitri Shuralyov <dmitshur@golang.org>
go env
is documented as outputting a shell script containing Go the environment:However,
go env
doesn't sanitize values, so executing its output as a shell script can cause various bad bahaviors, including executing arbitrary commands:Or inserting new environment variables:
In general, if an attacker can set arbitrary environment variables on a system, they have better attack vectors than making go env print them out, but we still should be sanitizing the output here. Treating this as a PUBLIC track vulnerability because the scenarios where this results in a vulnerability are fairly artificial, and the correct fix is not immediately obvious. (Properly quoting values seems like an obvious fix, but shell quoting is subtle.)
This is CVE-2023-24531.
Thanks to Hunter Wittenborn (https://hunterwittenborn.com/) for reporting this issue.
The text was updated successfully, but these errors were encountered: