1
0
mirror of https://github.com/golang/go synced 2024-11-06 05:36:13 -07:00
go/src
Julie Qiu ac68c6c683 path/filepath: fix stack exhaustion in Glob
A limit is added to the number of path separators allowed by an input to
Glob, to prevent stack exhaustion issues.

Thanks to Juho Nurminen of Mattermost who reported the issue.

Fixes CVE-2022-30632
Fixes #53416

Change-Id: I1b9fd4faa85411a05dbc91dceae1c0c8eb021f07
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1498176
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/417066
Reviewed-by: Heschi Kreinick <heschi@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Michael Knyszek <mknyszek@google.com>
2022-07-12 15:06:01 +00:00
..
archive archive/zip: use bufio.Reset rather than NewReader 2022-06-02 17:17:19 +00:00
bufio
builtin builtin: clarify effect of close on receive 2022-05-24 19:45:14 +00:00
bytes
cmd cmd/go: avoid spurious readdir during fsys.Walk 2022-07-12 09:11:26 +00:00
compress compress/gzip: always close bodyReader in Example_compressingReader 2022-06-22 16:24:14 +00:00
container
context
crypto crypto/x509: restrict CRL number to <=20 octets 2022-07-07 19:43:03 +00:00
database/sql database/sql: make TestTxContextWaitNoDiscard test more robust 2022-07-11 17:14:33 +00:00
debug debug/pe: add IMAGE_FILE_MACHINE_LOONGARCH{64,32} 2022-06-29 22:29:34 +00:00
embed embed: document additional file name restrictions 2022-06-23 16:32:40 +00:00
encoding encoding/gob: add a depth limit for ignored fields 2022-07-12 15:05:49 +00:00
errors
expvar expvar: don't crash if map value set to nil 2022-06-16 18:29:19 +00:00
flag flag: highlight support for double dashes in docs 2022-07-01 15:37:46 +00:00
fmt
go go/parser: limit recursion depth 2022-07-12 15:05:44 +00:00
hash hash/crc32: fix typo in arm64 archInitCastagnoli panic message 2022-05-25 05:31:01 +00:00
html html/template: fix typo in content_test.go 2022-06-27 17:04:56 +00:00
image all: fix spelling 2022-05-17 21:46:33 +00:00
index/suffixarray
internal internal/trace: don't report regions on system goroutines 2022-07-11 21:24:38 +00:00
io io/fs: fix stack exhaustion in Glob 2022-07-12 15:05:55 +00:00
log
math go, math, os, reflect: support standard library for loong64 2022-05-20 15:12:52 +00:00
mime mime: ignore .js => text/plain in Windows registry 2022-05-28 20:07:28 +00:00
net net/http: clarify that MaxBytesReader returns *MaxBytesError 2022-07-12 04:04:17 +00:00
os os/exec: clarify that Wait must be called 2022-07-06 16:51:00 +00:00
path path/filepath: fix stack exhaustion in Glob 2022-07-12 15:06:01 +00:00
plugin
reflect reflect: fix reference comment to runtime/map.go 2022-06-15 21:24:24 +00:00
regexp regexp: avoid copying each instruction executed 2022-06-04 20:10:54 +00:00
runtime internal/trace: don't report regions on system goroutines 2022-07-11 21:24:38 +00:00
sort all: gofmt main repo 2022-05-19 15:49:05 +00:00
strconv strconv: avoid panic on invalid call to FormatFloat 2022-06-24 23:50:20 +00:00
strings
sync sync: add more notes about Cond behavior 2022-06-17 21:35:36 +00:00
syscall syscall: gofmt after CL 412114 2022-07-11 21:46:19 +00:00
testdata
testing cmd/compile: mark closures made for generic function expressions as wrappers 2022-05-26 21:06:31 +00:00
text text/template/parse: fix data race on lexer initialization 2022-06-06 15:54:07 +00:00
time lib/time, time/tzdata: update to 2022a 2022-05-31 08:53:53 +00:00
unicode
unsafe
vendor all: update to current golang.org/x/sys revision 2022-06-22 16:47:18 +00:00
all.bash
all.bat
all.rc
bootstrap.bash
buildall.bash
clean.bash
clean.bat
clean.rc
cmp.bash
go.mod all: update to current golang.org/x/sys revision 2022-06-22 16:47:18 +00:00
go.sum all: update to current golang.org/x/sys revision 2022-06-22 16:47:18 +00:00
make.bash
make.bat
Make.dist
make.rc
race.bash
race.bat
README.vendor
run.bash
run.bat
run.rc

Vendoring in std and cmd
========================

The Go command maintains copies of external packages needed by the
standard library in the src/vendor and src/cmd/vendor directories.

In GOPATH mode, imports of vendored packages are resolved to these
directories following normal vendor directory logic
(see golang.org/s/go15vendor).

In module mode, std and cmd are modules (defined in src/go.mod and
src/cmd/go.mod). When a package outside std or cmd is imported
by a package inside std or cmd, the import path is interpreted
as if it had a "vendor/" prefix. For example, within "crypto/tls",
an import of "golang.org/x/crypto/cryptobyte" resolves to
"vendor/golang.org/x/crypto/cryptobyte". When a package with the
same path is imported from a package outside std or cmd, it will
be resolved normally. Consequently, a binary may be built with two
copies of a package at different versions if the package is
imported normally and vendored by the standard library.

Vendored packages are internally renamed with a "vendor/" prefix
to preserve the invariant that all packages have distinct paths.
This is necessary to avoid compiler and linker conflicts. Adding
a "vendor/" prefix also maintains the invariant that standard
library packages begin with a dotless path element.

The module requirements of std and cmd do not influence version
selection in other modules. They are only considered when running
module commands like 'go get' and 'go mod vendor' from a directory
in GOROOT/src.

Maintaining vendor directories
==============================

Before updating vendor directories, ensure that module mode is enabled.
Make sure GO111MODULE=off is not set ('on' or 'auto' should work).

Requirements may be added, updated, and removed with 'go get'.
The vendor directory may be updated with 'go mod vendor'.
A typical sequence might be:

    cd src
    go get -d golang.org/x/net@latest
    go mod tidy
    go mod vendor

Use caution when passing '-u' to 'go get'. The '-u' flag updates
modules providing all transitively imported packages, not only
the module providing the target package.

Note that 'go mod vendor' only copies packages that are transitively
imported by packages in the current module. If a new package is needed,
it should be imported before running 'go mod vendor'.