diff options
Diffstat (limited to 'meta/recipes-devtools/go/go-1.14/0003-CVE-2022-32190.patch')
-rw-r--r-- | meta/recipes-devtools/go/go-1.14/0003-CVE-2022-32190.patch | 36 |
1 files changed, 36 insertions, 0 deletions
diff --git a/meta/recipes-devtools/go/go-1.14/0003-CVE-2022-32190.patch b/meta/recipes-devtools/go/go-1.14/0003-CVE-2022-32190.patch new file mode 100644 index 0000000000..816d914983 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/0003-CVE-2022-32190.patch @@ -0,0 +1,36 @@ +From 2c632b883b0f11084cc247c8b50ad6c71fa7b447 Mon Sep 17 00:00:00 2001 +From: Sean Liao <sean@liao.dev> +Date: Sat, 9 Jul 2022 18:38:45 +0100 +Subject: [PATCH 3/4] net/url: use EscapedPath for url.JoinPath + +Fixes #53763 + +Change-Id: I08b53f159ebdce7907e8cc17316fd0c982363239 +Reviewed-on: https://go-review.googlesource.com/c/go/+/416774 +TryBot-Result: Gopher Robot <gobot@golang.org> +Reviewed-by: Damien Neil <dneil@google.com> +Reviewed-by: Bryan Mills <bcmills@google.com> +Run-TryBot: Ian Lance Taylor <iant@golang.org> + +Upstream-Status: Backport [https://github.com/golang/go/commit/bf5898ef53d1693aa572da0da746c05e9a6f15c5] +CVE: CVE-2022-32190 +Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> +--- + src/net/url/url.go | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/net/url/url.go b/src/net/url/url.go +index 3436707..73079a5 100644 +--- a/src/net/url/url.go ++++ b/src/net/url/url.go +@@ -1111,7 +1111,7 @@ func (u *URL) UnmarshalBinary(text []byte) error { + func (u *URL) JoinPath(elem ...string) *URL { + url := *u + if len(elem) > 0 { +- elem = append([]string{u.Path}, elem...) ++ elem = append([]string{u.EscapedPath()}, elem...) + p := path.Join(elem...) + // path.Join will remove any trailing slashes. + // Preserve at least one. +-- +2.7.4 |