|
| 1 | +From 8e66b04771e35c4e4125e8c60334b34e2423effb Mon Sep 17 00:00:00 2001 |
| 2 | +From: Roland Shoemaker <roland@golang.org> |
| 3 | +Date: Wed, 04 Dec 2024 09:35:55 -0800 |
| 4 | +Subject: [PATCH] html: use strings.EqualFold instead of lowering ourselves |
| 5 | + |
| 6 | +Instead of using strings.ToLower and == to check case insensitive |
| 7 | +equality, just use strings.EqualFold, even when the strings are only |
| 8 | +ASCII. This prevents us unnecessarily lowering extremely long strings, |
| 9 | +which can be a somewhat expensive operation, even if we're only |
| 10 | +attempting to compare equality with five characters. |
| 11 | + |
| 12 | +Thanks to Guido Vranken for reporting this issue. |
| 13 | + |
| 14 | +Fixes golang/go#70906 |
| 15 | +Fixes CVE-2024-45338 |
| 16 | + |
| 17 | +Change-Id: I323b919f912d60dab6a87cadfdcac3e6b54cd128 |
| 18 | +Reviewed-on: https://go-review.googlesource.com/c/net/+/637536 |
| 19 | +LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> |
| 20 | +Auto-Submit: Gopher Robot <gobot@golang.org> |
| 21 | +Reviewed-by: Roland Shoemaker <roland@golang.org> |
| 22 | +Reviewed-by: Tatiana Bradley <tatianabradley@google.com> |
| 23 | +--- |
| 24 | + vendor/golang.org/x/net/html/doctype.go | 2 +- |
| 25 | + vendor/golang.org/x/net/html/foreign.go | 3 +-- |
| 26 | + vendor/golang.org/x/net/html/parse.go | 4 ++-- |
| 27 | + 3 files changed, 4 insertions(+), 5 deletions(-) |
| 28 | + |
| 29 | +diff --git a/vendor/golang.org/x/net/html/doctype.go b/vendor/golang.org/x/net/html/doctype.go |
| 30 | +index c484e5a..bca3ae9 100644 |
| 31 | +--- a/vendor/golang.org/x/net/html/doctype.go |
| 32 | ++++ b/vendor/golang.org/x/net/html/doctype.go |
| 33 | +@@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) { |
| 34 | + } |
| 35 | + } |
| 36 | + if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" && |
| 37 | +- strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" { |
| 38 | ++ strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") { |
| 39 | + quirks = true |
| 40 | + } |
| 41 | + } |
| 42 | +diff --git a/vendor/golang.org/x/net/html/foreign.go b/vendor/golang.org/x/net/html/foreign.go |
| 43 | +index 9da9e9d..e8515d8 100644 |
| 44 | +--- a/vendor/golang.org/x/net/html/foreign.go |
| 45 | ++++ b/vendor/golang.org/x/net/html/foreign.go |
| 46 | +@@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool { |
| 47 | + if n.Data == "annotation-xml" { |
| 48 | + for _, a := range n.Attr { |
| 49 | + if a.Key == "encoding" { |
| 50 | +- val := strings.ToLower(a.Val) |
| 51 | +- if val == "text/html" || val == "application/xhtml+xml" { |
| 52 | ++ if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") { |
| 53 | + return true |
| 54 | + } |
| 55 | + } |
| 56 | +diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go |
| 57 | +index 46a89ed..5b8374b 100644 |
| 58 | +--- a/vendor/golang.org/x/net/html/parse.go |
| 59 | ++++ b/vendor/golang.org/x/net/html/parse.go |
| 60 | +@@ -1031,7 +1031,7 @@ func inBodyIM(p *parser) bool { |
| 61 | + if p.tok.DataAtom == a.Input { |
| 62 | + for _, t := range p.tok.Attr { |
| 63 | + if t.Key == "type" { |
| 64 | +- if strings.ToLower(t.Val) == "hidden" { |
| 65 | ++ if strings.EqualFold(t.Val, "hidden") { |
| 66 | + // Skip setting framesetOK = false |
| 67 | + return true |
| 68 | + } |
| 69 | +@@ -1459,7 +1459,7 @@ func inTableIM(p *parser) bool { |
| 70 | + return inHeadIM(p) |
| 71 | + case a.Input: |
| 72 | + for _, t := range p.tok.Attr { |
| 73 | +- if t.Key == "type" && strings.ToLower(t.Val) == "hidden" { |
| 74 | ++ if t.Key == "type" && strings.EqualFold(t.Val, "hidden") { |
| 75 | + p.addElement() |
| 76 | + p.oe.pop() |
| 77 | + return true |
| 78 | +-- |
| 79 | +2.25.1 |
| 80 | + |
0 commit comments