1
0
mirror of https://git.yoctoproject.org/poky synced 2026-07-15 15:37:03 +00:00

go: patch CVE-2026-39826

Backport patch from [1]

[1] https://go.dev/cl/771180

(From OE-Core rev: 11203044b88ecca7bcdf32d58db5808949423de4)

Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Reviewed-by: Bruno Vernay <bruno.vernay@se.com>
Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
This commit is contained in:
Theo Gaige (Schneider Electric)
2026-05-21 12:09:43 +02:00
committed by Paul Barker
parent 78bfa2dc96
commit 9a4407138b
2 changed files with 66 additions and 0 deletions
+1
View File
@@ -50,6 +50,7 @@ SRC_URI += "\
file://CVE-2026-39819.patch \
file://CVE-2026-39820.patch \
file://CVE-2026-39825.patch \
file://CVE-2026-39826.patch \
"
SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71"
@@ -0,0 +1,65 @@
From 0d41a827f4d691be89c0285cd136cc45640341d4 Mon Sep 17 00:00:00 2001
From: Neal Patel <nealpatel@google.com>
Date: Mon, 27 Apr 2026 17:34:58 -0400
Subject: [PATCH] html/template: fix escaper bypass by treating empty script
type as JavaScript
Thank you to Mundur (https://github.com/M0nd0R) for reporting this issue.
Fixes #78981
Fixes CVE-2026-39826
Change-Id: I3f2e06496020ece655d156fb099ff556af8cc836
Reviewed-on: https://go-review.googlesource.com/c/go/+/771180
Reviewed-by: Roland Shoemaker <roland@golang.org>
LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
CVE: CVE-2026-39826
Upstream-Status: Backport [https://github.com/golang/go/commit/a63b23ffb2eebc9ca3a14c369b615ca623bb20f7]
Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
---
src/html/template/escape_test.go | 15 +++++++++++++++
src/html/template/js.go | 1 +
2 files changed, 16 insertions(+)
diff --git a/src/html/template/escape_test.go b/src/html/template/escape_test.go
index 435c83378f..ce06440738 100644
--- a/src/html/template/escape_test.go
+++ b/src/html/template/escape_test.go
@@ -231,6 +231,21 @@ func TestEscape(t *testing.T) {
"<script>alert({{.A}})</script>",
`<script>alert(["\u003ca\u003e","\u003cb\u003e"])</script>`,
},
+ {
+ "scriptTypeSpace",
+ "<script type=\" \">{{.H}}</script>",
+ "<script type=\" \">\"\\u003cHello\\u003e\"</script>",
+ },
+ {
+ "scriptTypeTab",
+ "<script type=\"\t\">{{.H}}</script>",
+ "<script type=\"\t\">\"\\u003cHello\\u003e\"</script>",
+ },
+ {
+ "scriptTypeEmpty",
+ "<script type=\"\">{{.H}}</script>",
+ "<script type=\"\">\"\\u003cHello\\u003e\"</script>",
+ },
{
"jsObjValueNotOverEscaped",
"<button onclick='alert({{.A | html}})'>",
diff --git a/src/html/template/js.go b/src/html/template/js.go
index d911ada26d..90cf2dc982 100644
--- a/src/html/template/js.go
+++ b/src/html/template/js.go
@@ -459,6 +459,7 @@ func isJSType(mimeType string) bool {
mimeType = strings.TrimSpace(mimeType)
switch mimeType {
case
+ "",
"application/ecmascript",
"application/javascript",
"application/json",
--
2.43.0