net/url: JoinPath doesn't strip relative path components in all circumstances #54385
Assignees
Milestone
Comments
|
This is CVE-2022-32190. |
|
Relative paths are now removed from elements with this patch #54390. // OK
fmt.Println(url.JoinPath("https://go.dev", "../x")) // https://go.dev/x
fmt.Println(url.JoinPath("https://go.dev", "./x")) // https://go.dev/xIf a path contains whitespace or an invalid string at the beginning, it can be bypassed as follows. - url.JoinPath("https://go.dev", "./../../x") // https://go.dev/../../x
- url.JoinPath("https://go.dev", "..;/../../../../../x") // https://go.dev/../../../../x
- url.JoinPath("https://go.dev", " ../../../../../../x") // https://go.dev/../../../../x
// OK
- url.JoinPath("https://go.dev", "../.././x") // https://go.dev/xcc @neild @cuishuang |
|
Change https://go.dev/cl/423514 mentions this issue: |
|
Change https://go.dev/cl/422715 mentions this issue: |
Maybe refer to this pr https://go-review.googlesource.com/c/go/+/423514/ |
PR https://go-review.googlesource.com/c/go/+/423514/ has resolved this issue. Many thanks. |
|
@gopherbot please open backport issues. |
|
Backport issue(s) opened: #54634 (for 1.18), #54635 (for 1.19). Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases. |
|
Change https://go.dev/cl/425357 mentions this issue: |
gopherbot
pushed a commit
that referenced
this issue
Aug 29, 2022
…JoinPath
JoinPath would fail to remove relative elements from the start of
the path when the first path element is "".
In addition, JoinPath would return the original path unmodified
when provided with no elements to join, violating the documented
behavior of always cleaning the resulting path.
Correct both these cases.
JoinPath("http://go.dev", "../go")
// before: http://go.dev/../go
// after: http://go.dev/go
JoinPath("http://go.dev/../go")
// before: http://go.dev/../go
// after: http://go.dev/go
For #54385.
Fixes #54635.
Fixes CVE-2022-32190.
Change-Id: I6d22cd160d097c50703dd96e4f453c6c118fd5d9
Reviewed-on: https://go-review.googlesource.com/c/go/+/423514
Reviewed-by: David Chase <drchase@google.com>
Reviewed-by: Alan Donovan <adonovan@google.com>
(cherry picked from commit 0765da5)
Reviewed-on: https://go-review.googlesource.com/c/go/+/425357
Run-TryBot: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
dmitshur
added
the
NeedsFix
bradfitz
pushed a commit
to tailscale/go
that referenced
this issue
Sep 8, 2022
…JoinPath
JoinPath would fail to remove relative elements from the start of
the path when the first path element is "".
In addition, JoinPath would return the original path unmodified
when provided with no elements to join, violating the documented
behavior of always cleaning the resulting path.
Correct both these cases.
JoinPath("http://go.dev", "../go")
// before: http://go.dev/../go
// after: http://go.dev/go
JoinPath("http://go.dev/../go")
// before: http://go.dev/../go
// after: http://go.dev/go
For golang#54385.
Fixes golang#54635.
Fixes CVE-2022-32190.
Change-Id: I6d22cd160d097c50703dd96e4f453c6c118fd5d9
Reviewed-on: https://go-review.googlesource.com/c/go/+/423514
Reviewed-by: David Chase <drchase@google.com>
Reviewed-by: Alan Donovan <adonovan@google.com>
(cherry picked from commit 0765da5)
Reviewed-on: https://go-review.googlesource.com/c/go/+/425357
Run-TryBot: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
|
I use versions earlier than 1.18, such as 1.17. Do I need to upgrade to 1.18? |
1 task
wormi4ok
added a commit
to wormi4ok/packages
that referenced
this issue
Oct 20, 2022
Includes fixes for security vulnerabilities: * [CVE-2022-27664](GHSA-69cg-p879-7622) net/http: handle server errors after sending GOAWAY * [CVE-2022-32190](golang/go#54385) net/url: JoinPath does not strip relative path components in all circumstances * [CVE-2022-2879](golang/go#54853) archive/tar: unbounded memory consumption when reading headers * [CVE-2022-2880](golang/go#54663) net/http/httputil: ReverseProxy should not forward unparseable query parameters * [CVE-2022-41715](golang/go#55949) regexp/syntax: limit memory used by parsing regexps Addresses the build failure: * openwrt#19613 Signed-off-by: Stanislav Petrashov <s@petrashov.ru>
wormi4ok
added a commit
to wormi4ok/packages
that referenced
this issue
Nov 14, 2022
Includes fixes for security vulnerabilities: * [CVE-2022-27664](GHSA-69cg-p879-7622) net/http: handle server errors after sending GOAWAY * [CVE-2022-32190](golang/go#54385) net/url: JoinPath does not strip relative path components in all circumstances * [CVE-2022-2879](golang/go#54853) archive/tar: unbounded memory consumption when reading headers * [CVE-2022-2880](golang/go#54663) net/http/httputil: ReverseProxy should not forward unparseable query parameters * [CVE-2022-41715](golang/go#55949) regexp/syntax: limit memory used by parsing regexps Addresses the build failure: * openwrt#19613 Signed-off-by: Stanislav Petrashov <s@petrashov.ru>
1715173329
pushed a commit
to immortalwrt/packages
that referenced
this issue
Nov 15, 2022
Includes fixes for security vulnerabilities: * [CVE-2022-27664](GHSA-69cg-p879-7622) net/http: handle server errors after sending GOAWAY * [CVE-2022-32190](golang/go#54385) net/url: JoinPath does not strip relative path components in all circumstances * [CVE-2022-2879](golang/go#54853) archive/tar: unbounded memory consumption when reading headers * [CVE-2022-2880](golang/go#54663) net/http/httputil: ReverseProxy should not forward unparseable query parameters * [CVE-2022-41715](golang/go#55949) regexp/syntax: limit memory used by parsing regexps Addresses the build failure: * openwrt/packages#19613 Signed-off-by: Stanislav Petrashov <s@petrashov.ru> Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
1582130940
pushed a commit
to 1582130940/OpenWrt-Lean-Packages
that referenced
this issue
Nov 16, 2022
Includes fixes for security vulnerabilities: * [CVE-2022-27664](GHSA-69cg-p879-7622) net/http: handle server errors after sending GOAWAY * [CVE-2022-32190](golang/go#54385) net/url: JoinPath does not strip relative path components in all circumstances * [CVE-2022-2879](golang/go#54853) archive/tar: unbounded memory consumption when reading headers * [CVE-2022-2880](golang/go#54663) net/http/httputil: ReverseProxy should not forward unparseable query parameters * [CVE-2022-41715](golang/go#55949) regexp/syntax: limit memory used by parsing regexps Addresses the build failure: * openwrt/packages#19613 Signed-off-by: Stanislav Petrashov <s@petrashov.ru> Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
1582130940
pushed a commit
to 1582130940/OpenWrt-Lean-Packages
that referenced
this issue
Nov 16, 2022
Includes fixes for security vulnerabilities: * [CVE-2022-27664](GHSA-69cg-p879-7622) net/http: handle server errors after sending GOAWAY * [CVE-2022-32190](golang/go#54385) net/url: JoinPath does not strip relative path components in all circumstances * [CVE-2022-2879](golang/go#54853) archive/tar: unbounded memory consumption when reading headers * [CVE-2022-2880](golang/go#54663) net/http/httputil: ReverseProxy should not forward unparseable query parameters * [CVE-2022-41715](golang/go#55949) regexp/syntax: limit memory used by parsing regexps Addresses the build failure: * openwrt/packages#19613 Signed-off-by: Stanislav Petrashov <s@petrashov.ru> Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
1582130940
pushed a commit
to 1582130940/OpenWrt-Lean-Packages
that referenced
this issue
Nov 16, 2022
Includes fixes for security vulnerabilities: * [CVE-2022-27664](GHSA-69cg-p879-7622) net/http: handle server errors after sending GOAWAY * [CVE-2022-32190](golang/go#54385) net/url: JoinPath does not strip relative path components in all circumstances * [CVE-2022-2879](golang/go#54853) archive/tar: unbounded memory consumption when reading headers * [CVE-2022-2880](golang/go#54663) net/http/httputil: ReverseProxy should not forward unparseable query parameters * [CVE-2022-41715](golang/go#55949) regexp/syntax: limit memory used by parsing regexps Addresses the build failure: * openwrt/packages#19613 Signed-off-by: Stanislav Petrashov <s@petrashov.ru> Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
1582130940
pushed a commit
to 1582130940/OpenWrt-Lean-Packages
that referenced
this issue
Nov 16, 2022
Includes fixes for security vulnerabilities: * [CVE-2022-27664](GHSA-69cg-p879-7622) net/http: handle server errors after sending GOAWAY * [CVE-2022-32190](golang/go#54385) net/url: JoinPath does not strip relative path components in all circumstances * [CVE-2022-2879](golang/go#54853) archive/tar: unbounded memory consumption when reading headers * [CVE-2022-2880](golang/go#54663) net/http/httputil: ReverseProxy should not forward unparseable query parameters * [CVE-2022-41715](golang/go#55949) regexp/syntax: limit memory used by parsing regexps Addresses the build failure: * openwrt/packages#19613 Signed-off-by: Stanislav Petrashov <s@petrashov.ru> Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
BKPepe
pushed a commit
to openwrt/packages
that referenced
this issue
Dec 3, 2022
Includes fixes for security vulnerabilities: * [CVE-2022-27664](GHSA-69cg-p879-7622) net/http: handle server errors after sending GOAWAY * [CVE-2022-32190](golang/go#54385) net/url: JoinPath does not strip relative path components in all circumstances * [CVE-2022-2879](golang/go#54853) archive/tar: unbounded memory consumption when reading headers * [CVE-2022-2880](golang/go#54663) net/http/httputil: ReverseProxy should not forward unparseable query parameters * [CVE-2022-41715](golang/go#55949) regexp/syntax: limit memory used by parsing regexps Addresses the build failure: * #19613 Signed-off-by: Stanislav Petrashov <s@petrashov.ru> (cherry picked from commit 0ad7a2f)
stokito
pushed a commit
to stokito/packages
that referenced
this issue
Dec 6, 2022
Includes fixes for security vulnerabilities: * [CVE-2022-27664](GHSA-69cg-p879-7622) net/http: handle server errors after sending GOAWAY * [CVE-2022-32190](golang/go#54385) net/url: JoinPath does not strip relative path components in all circumstances * [CVE-2022-2879](golang/go#54853) archive/tar: unbounded memory consumption when reading headers * [CVE-2022-2880](golang/go#54663) net/http/httputil: ReverseProxy should not forward unparseable query parameters * [CVE-2022-41715](golang/go#55949) regexp/syntax: limit memory used by parsing regexps Addresses the build failure: * openwrt#19613 Signed-off-by: Stanislav Petrashov <s@petrashov.ru>
|
Change https://go.dev/cl/458775 mentions this issue: |
SibrenVasse
pushed a commit
to SibrenVasse/packages
that referenced
this issue
Feb 26, 2023
Includes fixes for security vulnerabilities: * [CVE-2022-27664](GHSA-69cg-p879-7622) net/http: handle server errors after sending GOAWAY * [CVE-2022-32190](golang/go#54385) net/url: JoinPath does not strip relative path components in all circumstances * [CVE-2022-2879](golang/go#54853) archive/tar: unbounded memory consumption when reading headers * [CVE-2022-2880](golang/go#54663) net/http/httputil: ReverseProxy should not forward unparseable query parameters * [CVE-2022-41715](golang/go#55949) regexp/syntax: limit memory used by parsing regexps Addresses the build failure: * openwrt#19613 Signed-off-by: Stanislav Petrashov <s@petrashov.ru> (cherry picked from commit 0ad7a2f)
Lienol
pushed a commit
to Lienol/openwrt-packages
that referenced
this issue
Mar 10, 2023
Includes fixes for security vulnerabilities: * [CVE-2022-27664](GHSA-69cg-p879-7622) net/http: handle server errors after sending GOAWAY * [CVE-2022-32190](golang/go#54385) net/url: JoinPath does not strip relative path components in all circumstances * [CVE-2022-2879](golang/go#54853) archive/tar: unbounded memory consumption when reading headers * [CVE-2022-2880](golang/go#54663) net/http/httputil: ReverseProxy should not forward unparseable query parameters * [CVE-2022-41715](golang/go#55949) regexp/syntax: limit memory used by parsing regexps Addresses the build failure: * openwrt/packages#19613 Signed-off-by: Stanislav Petrashov <s@petrashov.ru> (cherry picked from commit 0ad7a2f)
Lienol
pushed a commit
to Lienol/openwrt-packages
that referenced
this issue
Mar 10, 2023
Includes fixes for security vulnerabilities: * [CVE-2022-27664](GHSA-69cg-p879-7622) net/http: handle server errors after sending GOAWAY * [CVE-2022-32190](golang/go#54385) net/url: JoinPath does not strip relative path components in all circumstances * [CVE-2022-2879](golang/go#54853) archive/tar: unbounded memory consumption when reading headers * [CVE-2022-2880](golang/go#54663) net/http/httputil: ReverseProxy should not forward unparseable query parameters * [CVE-2022-41715](golang/go#55949) regexp/syntax: limit memory used by parsing regexps Addresses the build failure: * openwrt/packages#19613 Signed-off-by: Stanislav Petrashov <s@petrashov.ru> (cherry picked from commit 0ad7a2f)
|
Lienol
pushed a commit
to Lienol/openwrt-packages
that referenced
this issue
Oct 28, 2023
Includes fixes for security vulnerabilities: * [CVE-2022-27664](GHSA-69cg-p879-7622) net/http: handle server errors after sending GOAWAY * [CVE-2022-32190](golang/go#54385) net/url: JoinPath does not strip relative path components in all circumstances * [CVE-2022-2879](golang/go#54853) archive/tar: unbounded memory consumption when reading headers * [CVE-2022-2880](golang/go#54663) net/http/httputil: ReverseProxy should not forward unparseable query parameters * [CVE-2022-41715](golang/go#55949) regexp/syntax: limit memory used by parsing regexps Addresses the build failure: * openwrt/packages#19613 Signed-off-by: Stanislav Petrashov <s@petrashov.ru> (cherry picked from commit 0ad7a2f)
Lienol
pushed a commit
to Lienol/openwrt-packages
that referenced
this issue
Dec 20, 2023
Includes fixes for security vulnerabilities: * [CVE-2022-27664](GHSA-69cg-p879-7622) net/http: handle server errors after sending GOAWAY * [CVE-2022-32190](golang/go#54385) net/url: JoinPath does not strip relative path components in all circumstances * [CVE-2022-2879](golang/go#54853) archive/tar: unbounded memory consumption when reading headers * [CVE-2022-2880](golang/go#54663) net/http/httputil: ReverseProxy should not forward unparseable query parameters * [CVE-2022-41715](golang/go#55949) regexp/syntax: limit memory used by parsing regexps Addresses the build failure: * openwrt/packages#19613 Signed-off-by: Stanislav Petrashov <s@petrashov.ru> (cherry picked from commit 0ad7a2f)
Lienol
pushed a commit
to Lienol/openwrt-packages
that referenced
this issue
Mar 2, 2024
Includes fixes for security vulnerabilities: * [CVE-2022-27664](GHSA-69cg-p879-7622) net/http: handle server errors after sending GOAWAY * [CVE-2022-32190](golang/go#54385) net/url: JoinPath does not strip relative path components in all circumstances * [CVE-2022-2879](golang/go#54853) archive/tar: unbounded memory consumption when reading headers * [CVE-2022-2880](golang/go#54663) net/http/httputil: ReverseProxy should not forward unparseable query parameters * [CVE-2022-41715](golang/go#55949) regexp/syntax: limit memory used by parsing regexps Addresses the build failure: * openwrt/packages#19613 Signed-off-by: Stanislav Petrashov <s@petrashov.ru> (cherry picked from commit 0ad7a2f)
Lienol
pushed a commit
to Lienol/openwrt-packages
that referenced
this issue
Mar 18, 2024
Includes fixes for security vulnerabilities: * [CVE-2022-27664](GHSA-69cg-p879-7622) net/http: handle server errors after sending GOAWAY * [CVE-2022-32190](golang/go#54385) net/url: JoinPath does not strip relative path components in all circumstances * [CVE-2022-2879](golang/go#54853) archive/tar: unbounded memory consumption when reading headers * [CVE-2022-2880](golang/go#54663) net/http/httputil: ReverseProxy should not forward unparseable query parameters * [CVE-2022-41715](golang/go#55949) regexp/syntax: limit memory used by parsing regexps Addresses the build failure: * openwrt/packages#19613 Signed-off-by: Stanislav Petrashov <s@petrashov.ru> (cherry picked from commit 0ad7a2f)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
https://go.dev/play/p/gLLv0cc_jn1
JoinPathdoesn't remove../path components appended to a domain that is not terminated by a slash. This is surprising and could conceivably lead to a directory traversal attack. The result ofJoinPathshouldn't depend on whether the first component is/terminated or not.Thanks to @q0jt for reporting this bug.
The text was updated successfully, but these errors were encountered: