diff options
author | Bryan C. Mills <bcmills@google.com> | 2023-08-17 17:12:44 -0400 |
---|---|---|
committer | Cherry Mui <cherryyz@google.com> | 2023-09-06 14:19:53 +0000 |
commit | d25a935574efd573668d8ce9ea4cfc530bb63ecb (patch) | |
tree | c4ec76fc4ab6f543dcfa39f46f4c347a0da7c994 | |
parent | e3ba569c78d2c496537f4546282a5e04f33c886e (diff) | |
download | go-d25a935574efd573668d8ce9ea4cfc530bb63ecb.tar.gz go-d25a935574efd573668d8ce9ea4cfc530bb63ecb.zip |
[release-branch.go1.21] cmd/go: reject toolchain directives containing path separators
If GOTOOLCHAIN="path" or "auto", the go command uses exec.LookPath to
search for it in order to allow toolchains to refer to local-only
toolchain variants (such as toolchains built from enterprise- or
distro-patched source). However, those toolchains should only be
resolved from $PATH, not relative to the working directory of the
command.
Thanks to Juho Nurminen of Mattermost for reporting this issue.
Fixes #62198.
Fixes #62394.
Fixes CVE-2023-39320.
Change-Id: I247c7acea95d737362dd0475e9fc8515430d0fcc
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1996318
Run-TryBot: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Roland Shoemaker <bracewell@google.com>
(cherry picked from commit e41c0a55d45e9a9acbc5d7c1143ea4fff8fb9283)
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2014013
Reviewed-by: Bryan Mills <bcmills@google.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/526095
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Cherry Mui <cherryyz@google.com>
-rw-r--r-- | src/cmd/go/internal/gover/toolchain.go | 7 | ||||
-rw-r--r-- | src/cmd/go/testdata/script/mod_toolchain_slash.txt | 32 |
2 files changed, 39 insertions, 0 deletions
diff --git a/src/cmd/go/internal/gover/toolchain.go b/src/cmd/go/internal/gover/toolchain.go index b520277618..a24df98168 100644 --- a/src/cmd/go/internal/gover/toolchain.go +++ b/src/cmd/go/internal/gover/toolchain.go @@ -22,6 +22,13 @@ import ( // FromToolchain("go1.2.3-bigcorp") == "1.2.3" // FromToolchain("invalid") == "" func FromToolchain(name string) string { + if strings.ContainsAny(name, "\\/") { + // The suffix must not include a path separator, since that would cause + // exec.LookPath to resolve it from a relative directory instead of from + // $PATH. + return "" + } + var v string if strings.HasPrefix(name, "go") { v = name[2:] diff --git a/src/cmd/go/testdata/script/mod_toolchain_slash.txt b/src/cmd/go/testdata/script/mod_toolchain_slash.txt new file mode 100644 index 0000000000..bb1f770a6a --- /dev/null +++ b/src/cmd/go/testdata/script/mod_toolchain_slash.txt @@ -0,0 +1,32 @@ +[!exec:/bin/sh] skip + +chmod 0777 go1.999999-/run.sh +chmod 0777 run.sh + +! go list all +! stdout 'RAN SCRIPT' + +cd subdir +! go list all +! stdout 'RAN SCRIPT' + +-- go.mod -- +module exploit + +go 1.21 +toolchain go1.999999-/run.sh +-- go1.999999-/run.sh -- +#!/bin/sh +printf 'RAN SCRIPT\n' +exit 1 +-- run.sh -- +#!/bin/sh +printf 'RAN SCRIPT\n' +exit 1 +-- subdir/go.mod -- +module exploit + +go 1.21 +toolchain go1.999999-/../../run.sh +-- subdir/go1.999999-/README.txt -- +heh heh heh |