From e0b07dc22eaab1b003d98ad6d63cdfacc76c5c70 Mon Sep 17 00:00:00 2001 From: Olivier Mengué Date: Mon, 30 Jun 2025 16:58:59 +0200 Subject: os/exec: fix incorrect expansion of "", "." and ".." in LookPath Fix incorrect expansion of "" and "." when $PATH contains an executable file or, on Windows, a parent directory of a %PATH% element contains an file with the same name as the %PATH% element but with one of the %PATHEXT% extension (ex: C:\utils\bin is in PATH, and C:\utils\bin.exe exists). Fix incorrect expansion of ".." when $PATH contains an element which is an the concatenation of the path to an executable file (or on Windows a path that can be expanded to an executable by appending a %PATHEXT% extension), a path separator and a name. "", "." and ".." are now rejected early with ErrNotFound. Fixes CVE-2025-47906 Fixes #74466 Change-Id: Ie50cc0a660fce8fbdc952a7f2e05c36062dcb50e Reviewed-on: https://go-review.googlesource.com/c/go/+/685755 LUCI-TryBot-Result: Go LUCI Auto-Submit: Damien Neil Reviewed-by: Roland Shoemaker Reviewed-by: Damien Neil --- src/os/exec/exec.go | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'src/os/exec/exec.go') diff --git a/src/os/exec/exec.go b/src/os/exec/exec.go index 91a6831b04..38354a5244 100644 --- a/src/os/exec/exec.go +++ b/src/os/exec/exec.go @@ -1328,3 +1328,13 @@ func addCriticalEnv(env []string) []string { // Code should use errors.Is(err, ErrDot), not err == ErrDot, // to test whether a returned error err is due to this condition. var ErrDot = errors.New("cannot run executable found relative to current directory") + +// validateLookPath excludes paths that can't be valid +// executable names. See issue #74466 and CVE-2025-47906. +func validateLookPath(s string) error { + switch s { + case "", ".", "..": + return ErrNotFound + } + return nil +} -- cgit v1.3