[release-branch.go1.23] os/exec: fix incorrect expansion of "", "." and ".." in LookPath - go - Fork of Go programming language with my patches.

diff options

author	Olivier Mengué <olivier.mengue@gmail.com>	2025-06-30 16:58:59 +0200
committer	Mark Freeman <mark@golang.org>	2025-07-30 13:35:04 -0700
commit	8fa31a2d7d9e60c50a3a94080c097b6e65773f4b (patch)
tree	f59156d76a368fad09eb16b8cccdfff6bbf3adea /src/database/sql/sql_test.go
parent	e8794e650e05fad07a33fb6e3266a9e677d13fa8 (diff)
download	go-8fa31a2d7d9e60c50a3a94080c097b6e65773f4b.tar.xz

[release-branch.go1.23] os/exec: fix incorrect expansion of "", "." and ".." in LookPath

Fix incorrect expansion of "" and "." when $PATH contains an executable file or, on Windows, a parent directory of a %PATH% element contains an file with the same name as the %PATH% element but with one of the %PATHEXT% extension (ex: C:\utils\bin is in PATH, and C:\utils\bin.exe exists). Fix incorrect expansion of ".." when $PATH contains an element which is an the concatenation of the path to an executable file (or on Windows a path that can be expanded to an executable by appending a %PATHEXT% extension), a path separator and a name. "", "." and ".." are now rejected early with ErrNotFound. Fixes CVE-2025-47906 Fixes #74803 Change-Id: Ie50cc0a660fce8fbdc952a7f2e05c36062dcb50e Reviewed-on: https://go-review.googlesource.com/c/go/+/685755 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Auto-Submit: Damien Neil <dneil@google.com> Reviewed-by: Roland Shoemaker <roland@golang.org> Reviewed-by: Damien Neil <dneil@google.com> (cherry picked from commit e0b07dc22eaab1b003d98ad6d63cdfacc76c5c70) Reviewed-on: https://go-review.googlesource.com/c/go/+/691855 Reviewed-by: Michael Knyszek <mknyszek@google.com>

Diffstat (limited to 'src/database/sql/sql_test.go')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: