mirror of
https://github.com/golang/go
synced 2024-11-18 23:44:43 -07:00
cmd/go: reject toolchain directives containing path separators
If GOTOOLCHAIN="path" or "auto", the go command uses exec.LookPath to search for it in order to allow toolchains to refer to local-only toolchain variants (such as toolchains built from enterprise- or distro-patched source). However, those toolchains should only be resolved from $PATH, not relative to the working directory of the command. Thanks to Juho Nurminen of Mattermost for reporting this issue. Fixes #62198. Fixes CVE-2023-39320. Change-Id: I247c7acea95d737362dd0475e9fc8515430d0fcc Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1996318 Run-TryBot: Roland Shoemaker <bracewell@google.com> Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Roland Shoemaker <bracewell@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/526158 Reviewed-by: Bryan Mills <bcmills@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
This commit is contained in:
parent
b2f8f6c8ef
commit
a0c3a1b676
@ -22,6 +22,13 @@ import (
|
||||
// FromToolchain("go1.2.3-bigcorp") == "1.2.3"
|
||||
// FromToolchain("invalid") == ""
|
||||
func FromToolchain(name string) string {
|
||||
if strings.ContainsAny(name, "\\/") {
|
||||
// The suffix must not include a path separator, since that would cause
|
||||
// exec.LookPath to resolve it from a relative directory instead of from
|
||||
// $PATH.
|
||||
return ""
|
||||
}
|
||||
|
||||
var v string
|
||||
if strings.HasPrefix(name, "go") {
|
||||
v = name[2:]
|
||||
|
32
src/cmd/go/testdata/script/mod_toolchain_slash.txt
vendored
Normal file
32
src/cmd/go/testdata/script/mod_toolchain_slash.txt
vendored
Normal file
@ -0,0 +1,32 @@
|
||||
[!exec:/bin/sh] skip
|
||||
|
||||
chmod 0777 go1.999999-/run.sh
|
||||
chmod 0777 run.sh
|
||||
|
||||
! go list all
|
||||
! stdout 'RAN SCRIPT'
|
||||
|
||||
cd subdir
|
||||
! go list all
|
||||
! stdout 'RAN SCRIPT'
|
||||
|
||||
-- go.mod --
|
||||
module exploit
|
||||
|
||||
go 1.21
|
||||
toolchain go1.999999-/run.sh
|
||||
-- go1.999999-/run.sh --
|
||||
#!/bin/sh
|
||||
printf 'RAN SCRIPT\n'
|
||||
exit 1
|
||||
-- run.sh --
|
||||
#!/bin/sh
|
||||
printf 'RAN SCRIPT\n'
|
||||
exit 1
|
||||
-- subdir/go.mod --
|
||||
module exploit
|
||||
|
||||
go 1.21
|
||||
toolchain go1.999999-/../../run.sh
|
||||
-- subdir/go1.999999-/README.txt --
|
||||
heh heh heh
|
Loading…
Reference in New Issue
Block a user