mirror of
https://git.yoctoproject.org/poky
synced 2026-07-15 15:37:03 +00:00
go: patch CVE-2026-39826
Backport patch from [1] [1] https://go.dev/cl/771180 (From OE-Core rev: 11203044b88ecca7bcdf32d58db5808949423de4) Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> Reviewed-by: Bruno Vernay <bruno.vernay@se.com> Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev>
This commit is contained in:
committed by
Paul Barker
parent
78bfa2dc96
commit
9a4407138b
@@ -50,6 +50,7 @@ SRC_URI += "\
|
||||
file://CVE-2026-39819.patch \
|
||||
file://CVE-2026-39820.patch \
|
||||
file://CVE-2026-39825.patch \
|
||||
file://CVE-2026-39826.patch \
|
||||
"
|
||||
SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71"
|
||||
|
||||
|
||||
@@ -0,0 +1,65 @@
|
||||
From 0d41a827f4d691be89c0285cd136cc45640341d4 Mon Sep 17 00:00:00 2001
|
||||
From: Neal Patel <nealpatel@google.com>
|
||||
Date: Mon, 27 Apr 2026 17:34:58 -0400
|
||||
Subject: [PATCH] html/template: fix escaper bypass by treating empty script
|
||||
type as JavaScript
|
||||
|
||||
Thank you to Mundur (https://github.com/M0nd0R) for reporting this issue.
|
||||
|
||||
Fixes #78981
|
||||
Fixes CVE-2026-39826
|
||||
|
||||
Change-Id: I3f2e06496020ece655d156fb099ff556af8cc836
|
||||
Reviewed-on: https://go-review.googlesource.com/c/go/+/771180
|
||||
Reviewed-by: Roland Shoemaker <roland@golang.org>
|
||||
LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
|
||||
|
||||
CVE: CVE-2026-39826
|
||||
Upstream-Status: Backport [https://github.com/golang/go/commit/a63b23ffb2eebc9ca3a14c369b615ca623bb20f7]
|
||||
Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
|
||||
---
|
||||
src/html/template/escape_test.go | 15 +++++++++++++++
|
||||
src/html/template/js.go | 1 +
|
||||
2 files changed, 16 insertions(+)
|
||||
|
||||
diff --git a/src/html/template/escape_test.go b/src/html/template/escape_test.go
|
||||
index 435c83378f..ce06440738 100644
|
||||
--- a/src/html/template/escape_test.go
|
||||
+++ b/src/html/template/escape_test.go
|
||||
@@ -231,6 +231,21 @@ func TestEscape(t *testing.T) {
|
||||
"<script>alert({{.A}})</script>",
|
||||
`<script>alert(["\u003ca\u003e","\u003cb\u003e"])</script>`,
|
||||
},
|
||||
+ {
|
||||
+ "scriptTypeSpace",
|
||||
+ "<script type=\" \">{{.H}}</script>",
|
||||
+ "<script type=\" \">\"\\u003cHello\\u003e\"</script>",
|
||||
+ },
|
||||
+ {
|
||||
+ "scriptTypeTab",
|
||||
+ "<script type=\"\t\">{{.H}}</script>",
|
||||
+ "<script type=\"\t\">\"\\u003cHello\\u003e\"</script>",
|
||||
+ },
|
||||
+ {
|
||||
+ "scriptTypeEmpty",
|
||||
+ "<script type=\"\">{{.H}}</script>",
|
||||
+ "<script type=\"\">\"\\u003cHello\\u003e\"</script>",
|
||||
+ },
|
||||
{
|
||||
"jsObjValueNotOverEscaped",
|
||||
"<button onclick='alert({{.A | html}})'>",
|
||||
diff --git a/src/html/template/js.go b/src/html/template/js.go
|
||||
index d911ada26d..90cf2dc982 100644
|
||||
--- a/src/html/template/js.go
|
||||
+++ b/src/html/template/js.go
|
||||
@@ -459,6 +459,7 @@ func isJSType(mimeType string) bool {
|
||||
mimeType = strings.TrimSpace(mimeType)
|
||||
switch mimeType {
|
||||
case
|
||||
+ "",
|
||||
"application/ecmascript",
|
||||
"application/javascript",
|
||||
"application/json",
|
||||
--
|
||||
2.43.0
|
||||
|
||||
Reference in New Issue
Block a user