[prev in list] [next in list] [prev in thread] [next in thread]
List: openembedded-core
Subject: Re: [OE-core][dunfell][PATCH v3] go: Update fix for CVE-2023-24538 & CVE-2023-39318
From: "Shubham Kulkarni via lists.openembedded.org" <skulkarni=mvista.com () lists ! openem
Date: 2023-09-30 15:53:25
Message-ID: CAKzga+woh5=FBs9Qhg0Xm1K1bFwKg42YOJbZ9THER2AXfRcnSw () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Apologies Steve,
I will look into the issue and send a new patch for Dunfell. It worked for
me on my machine. Maybe something I missed.
Thanks,
Shubham Kulkarni
On Sat, Sep 30, 2023 at 8:02 AM Steve Sakoman <steve@sakoman.com> wrote:
> Sorry, this patch doesn't apply:
>
> Applying: go: Update fix for CVE-2023-24538 & CVE-2023-39318
> error: corrupt patch at line 478
> error: could not build fake ancestor
> Patch failed at 0001 go: Update fix for CVE-2023-24538 & CVE-2023-39318
>
> Steve
>
> On Fri, Sep 29, 2023 at 9:21 AM Shubham Kulkarni via
> lists.openembedded.org <skulkarni=mvista.com@lists.openembedded.org>
> wrote:
> >
> > From: Shubham Kulkarni <skulkarni@mvista.com>
> >
> > Add missing files in fix for CVE-2023-24538 & CVE-2023-39318
> >
> > Upstream Link -
> > CVE-2023-24538:
> https://github.com/golang/go/commit/b1e3ecfa06b67014429a197ec5e134ce4303ad9b
> > CVE-2023-39318:
> https://github.com/golang/go/commit/023b542edf38e2a1f87fcefb9f75ff2f99401b4c
> >
> > Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
> > ---
> > meta/recipes-devtools/go/go-1.14.inc | 5 +-
> > .../go/go-1.14/CVE-2023-24538-1.patch | 4 +-
> > .../go/go-1.14/CVE-2023-24538-2.patch | 447 ++++++++++++-
> > .../go/go-1.14/CVE-2023-24538_3.patch | 393 ++++++++++++
> > .../go/go-1.14/CVE-2023-24538_4.patch | 497 +++++++++++++++
> > .../go/go-1.14/CVE-2023-24538_5.patch | 585 ++++++++++++++++++
> > ...3-24538-3.patch => CVE-2023-24538_6.patch} | 175 +++++-
> > .../go/go-1.14/CVE-2023-39318.patch | 38 +-
> > 8 files changed, 2124 insertions(+), 20 deletions(-)
> > create mode 100644
> meta/recipes-devtools/go/go-1.14/CVE-2023-24538_3.patch
> > create mode 100644
> meta/recipes-devtools/go/go-1.14/CVE-2023-24538_4.patch
> > create mode 100644
> meta/recipes-devtools/go/go-1.14/CVE-2023-24538_5.patch
> > rename meta/recipes-devtools/go/go-1.14/{CVE-2023-24538-3.patch =>
> CVE-2023-24538_6.patch} (53%)
> >
> > diff --git a/meta/recipes-devtools/go/go-1.14.inc
> b/meta/recipes-devtools/go/go-1.14.inc
> > index be63f64825..091b778de8 100644
> > --- a/meta/recipes-devtools/go/go-1.14.inc
> > +++ b/meta/recipes-devtools/go/go-1.14.inc
> > @@ -60,7 +60,10 @@ SRC_URI += "\
> > file://CVE-2023-24534.patch \
> > file://CVE-2023-24538-1.patch \
> > file://CVE-2023-24538-2.patch \
> > - file://CVE-2023-24538-3.patch \
> > + file://CVE-2023-24538_3.patch \
> > + file://CVE-2023-24538_4.patch \
> > + file://CVE-2023-24538_5.patch \
> > + file://CVE-2023-24538_6.patch \
> > file://CVE-2023-24539.patch \
> > file://CVE-2023-24540.patch \
> > file://CVE-2023-29405-1.patch \
> > diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-1.patch
> b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-1.patch
> > index eda26e5ff6..23c5075e41 100644
> > --- a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-1.patch
> > +++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-1.patch
> > @@ -1,7 +1,7 @@
> > From 8acd01094d9ee17f6e763a61e49a8a808b3a9ddb Mon Sep 17 00:00:00 2001
> > From: Brad Fitzpatrick <bradfitz@golang.org>
> > Date: Mon, 2 Aug 2021 14:55:51 -0700
> > -Subject: [PATCH 1/3] net/netip: add new IP address package
> > +Subject: [PATCH 1/6] net/netip: add new IP address package
> >
> > Co-authored-by: Alex Willmer <alex@moreati.org.uk> (GitHub @moreati)
> > Co-authored-by: Alexander Yastrebov <yastrebov.alex@gmail.com>
> > @@ -31,7 +31,7 @@ Trust: Brad Fitzpatrick <bradfitz@golang.org>
> >
> > Dependency Patch #1
> >
> > -Upstream-Status: Backport [
> https://github.com/golang/go/commit/a59e33224e42d60a97fa720a45e1b74eb6aaa3d0
> ]
> > +Upstream-Status: Backport from
> https://github.com/golang/go/commit/a59e33224e42d60a97fa720a45e1b74eb6aaa3d0
> > CVE: CVE-2023-24538
> > Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
> > ---
> > diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch
> b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch
> > index 5036f2890b..3840617a32 100644
> > --- a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch
> > +++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch
> > @@ -1,7 +1,7 @@
> > From 6fc21505614f36178df0dad7034b6b8e3f7588d5 Mon Sep 17 00:00:00 2001
> > From: empijei <robclap8@gmail.com>
> > Date: Fri, 27 Mar 2020 19:27:55 +0100
> > -Subject: [PATCH 2/3] html/template,text/template: switch to Unicode
> escapes
> > +Subject: [PATCH 2/6] html/template,text/template: switch to Unicode
> escapes
> > for JSON compatibility
> > MIME-Version: 1.0
> > Content-Type: text/plain; charset=UTF-8
> > @@ -31,10 +31,238 @@ Upstream-Status: Backport from
> https://github.com/golang/go/commit/d4d298040d072
> > CVE: CVE-2023-24538
> > Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
> > ---
> > - src/html/template/js.go | 70
> +++++++++++++++++++++++++++-------------------
> > - src/text/template/funcs.go | 8 +++---
> > - 2 files changed, 46 insertions(+), 32 deletions(-)
> > + src/html/template/content_test.go | 70
> +++++++++++++++++++-------------------
> > + src/html/template/escape_test.go | 6 ++--
> > + src/html/template/example_test.go | 6 ++--
> > + src/html/template/js.go | 70
> +++++++++++++++++++++++---------------
> > + src/html/template/js_test.go | 68
> ++++++++++++++++++------------------
> > + src/html/template/template_test.go | 39 +++++++++++++++++++++
> > + src/text/template/exec_test.go | 6 ++--
> > + src/text/template/funcs.go | 8 ++---
> > + 8 files changed, 163 insertions(+), 110 deletions(-)
> >
> > +diff --git a/src/html/template/content_test.go
> b/src/html/template/content_test.go
> > +index 72d56f5..bd86527 100644
> > +--- a/src/html/template/content_test.go
> > ++++ b/src/html/template/content_test.go
> > +@@ -18,7 +18,7 @@ func TestTypedContent(t *testing.T) {
> > + HTML(`Hello, <b>World</b> &tc!`),
> > + HTMLAttr(` dir="ltr"`),
> > + JS(`c && alert("Hello, World!");`),
> > +- JSStr(`Hello, World & O'Reilly\x21`),
> > ++ JSStr(`Hello, World & O'Reilly\u0021`),
> > + URL(`greeting=H%69,&addressee=(World)`),
> > + Srcset(`greeting=H%69,&addressee=(World) 2x,
> https://golang.org/favicon.ico 500.5w`),
> > + URL(`,foo/,`),
> > +@@ -70,7 +70,7 @@ func TestTypedContent(t *testing.T) {
> > + `Hello, <b>World</b> &tc!`,
> > + ` dir="ltr"`,
> > + `c && alert("Hello,
> World!");`,
> > +- `Hello, World & O'Reilly\x21`,
> > ++ `Hello, World & O'Reilly\u0021`,
> > + `greeting=H%69,&addressee=(World)`,
> > + `greeting=H%69,&addressee=(World)
> 2x, https://golang.org/favicon.ico 500.5w`,
> > + `,foo/,`,
> > +@@ -100,7 +100,7 @@ func TestTypedContent(t *testing.T) {
> > + `Hello, World &tc!`,
> > + ` dir="ltr"`,
> > +
> `c && alert("Hello, World!");`,
> > +-
> `Hello, World & O'Reilly\x21`,
> > ++
> `Hello, World & O'Reilly\u0021`,
> > +
> `greeting=H%69,&addressee=(World)`,
> > +
> `greeting=H%69,&addressee=(World) 2x, 
> https://golang.org/favicon.ico 500.5w`
> <https://golang.org/favicon.ico 500.5w>,
> > + `,foo/,`,
> > +@@ -115,7 +115,7 @@ func TestTypedContent(t *testing.T) {
> > + `Hello, World &tc!`,
> > + ` dir="ltr"`,
> > + `c && alert("Hello,
> World!");`,
> > +- `Hello, World & O'Reilly\x21`,
> > ++ `Hello, World & O'Reilly\u0021`,
> > + `greeting=H%69,&addressee=(World)`,
> > + `greeting=H%69,&addressee=(World)
> 2x, https://golang.org/favicon.ico 500.5w`,
> > + `,foo/,`,
> > +@@ -130,7 +130,7 @@ func TestTypedContent(t *testing.T) {
> > + `Hello, <b>World</b>
> &tc!`,
> > + ` dir="ltr"`,
> > + `c && alert("Hello,
> World!");`,
> > +- `Hello, World & O'Reilly\x21`,
> > ++ `Hello, World & O'Reilly\u0021`,
> > + `greeting=H%69,&addressee=(World)`,
> > + `greeting=H%69,&addressee=(World)
> 2x, https://golang.org/favicon.ico 500.5w`,
> > + `,foo/,`,
> > +@@ -146,7 +146,7 @@ func TestTypedContent(t *testing.T) {
> > + // Not escaped.
> > + `c && alert("Hello, World!");`,
> > + // Escape sequence not over-escaped.
> > +- `"Hello, World & O'Reilly\x21"`,
> > ++ `"Hello, World & O'Reilly\u0021"`,
> > +
> `"greeting=H%69,\u0026addressee=(World)"`,
> > + `"greeting=H%69,\u0026addressee=(World)
> 2x, https://golang.org/favicon.ico 500.5w"`,
> > + `",foo/,"`,
> > +@@ -162,7 +162,7 @@ func TestTypedContent(t *testing.T) {
> > + // Not JS escaped but HTML escaped.
> > + `c && alert("Hello,
> World!");`,
> > + // Escape sequence not over-escaped.
> > +- `"Hello, World &
> O'Reilly\x21"`,
> > ++ `"Hello, World &
> O'Reilly\u0021"`,
> > +
> `"greeting=H%69,\u0026addressee=(World)"`,
> > +
> `"greeting=H%69,\u0026addressee=(World) 2x,
> https://golang.org/favicon.ico 500.5w"`,
> > + `",foo/,"`,
> > +@@ -171,30 +171,30 @@ func TestTypedContent(t *testing.T) {
> > + {
> > + `<script>alert("{{.}}")</script>`,
> > + []string{
> > +- `\x3cb\x3e \x22foo%\x22 O\x27Reilly
> \x26bar;`,
> > +- `a[href =~ \x22\/\/example.com
> \x22]#foo`,
> > +- `Hello, \x3cb\x3eWorld\x3c\/b\x3e
> \x26amp;tc!`,
> > +- ` dir=\x22ltr\x22`,
> > +- `c \x26\x26 alert(\x22Hello,
> World!\x22);`,
> > ++ `\u003cb\u003e \u0022foo%\u0022
> O\u0027Reilly \u0026bar;`,
> > ++ `a[href =~ \u0022\/\/example.com
> \u0022]#foo`,
> > ++ `Hello,
> \u003cb\u003eWorld\u003c\/b\u003e \u0026amp;tc!`,
> > ++ ` dir=\u0022ltr\u0022`,
> > ++ `c \u0026\u0026 alert(\u0022Hello,
> World!\u0022);`,
> > + // Escape sequence not over-escaped.
> > +- `Hello, World \x26 O\x27Reilly\x21`,
> > +- `greeting=H%69,\x26addressee=(World)`,
> > +- `greeting=H%69,\x26addressee=(World) 2x,
> https:\/\/golang.org\/favicon.ico 500.5w`,
> > ++ `Hello, World \u0026
> O\u0027Reilly\u0021`,
> > ++ `greeting=H%69,\u0026addressee=(World)`,
> > ++ `greeting=H%69,\u0026addressee=(World)
> 2x, https:\/\/golang.org\/favicon.ico 500.5w`,
> > + `,foo\/,`,
> > + },
> > + },
> > + {
> > + `<script
> type="text/javascript">alert("{{.}}")</script>`,
> > + []string{
> > +- `\x3cb\x3e \x22foo%\x22 O\x27Reilly
> \x26bar;`,
> > +- `a[href =~ \x22\/\/example.com
> \x22]#foo`,
> > +- `Hello, \x3cb\x3eWorld\x3c\/b\x3e
> \x26amp;tc!`,
> > +- ` dir=\x22ltr\x22`,
> > +- `c \x26\x26 alert(\x22Hello,
> World!\x22);`,
> > ++ `\u003cb\u003e \u0022foo%\u0022
> O\u0027Reilly \u0026bar;`,
> > ++ `a[href =~ \u0022\/\/example.com
> \u0022]#foo`,
> > ++ `Hello,
> \u003cb\u003eWorld\u003c\/b\u003e \u0026amp;tc!`,
> > ++ ` dir=\u0022ltr\u0022`,
> > ++ `c \u0026\u0026 alert(\u0022Hello,
> World!\u0022);`,
> > + // Escape sequence not over-escaped.
> > +- `Hello, World \x26 O\x27Reilly\x21`,
> > +- `greeting=H%69,\x26addressee=(World)`,
> > +- `greeting=H%69,\x26addressee=(World) 2x,
> https:\/\/golang.org\/favicon.ico 500.5w`,
> > ++ `Hello, World \u0026
> O\u0027Reilly\u0021`,
> > ++ `greeting=H%69,\u0026addressee=(World)`,
> > ++ `greeting=H%69,\u0026addressee=(World)
> 2x, https:\/\/golang.org\/favicon.ico 500.5w`,
> > + `,foo\/,`,
> > + },
> > + },
> > +@@ -208,7 +208,7 @@ func TestTypedContent(t *testing.T) {
> > + // Not escaped.
> > + `c && alert("Hello, World!");`,
> > + // Escape sequence not over-escaped.
> > +- `"Hello, World & O'Reilly\x21"`,
> > ++ `"Hello, World & O'Reilly\u0021"`,
> > +
> `"greeting=H%69,\u0026addressee=(World)"`,
> > + `"greeting=H%69,\u0026addressee=(World)
> 2x, https://golang.org/favicon.ico 500.5w"`,
> > + `",foo/,"`,
> > +@@ -224,7 +224,7 @@ func TestTypedContent(t *testing.T) {
> > + `Hello, <b>World</b> &tc!`,
> > + ` dir="ltr"`,
> > + `c && alert("Hello,
> World!");`,
> > +- `Hello, World & O'Reilly\x21`,
> > ++ `Hello, World & O'Reilly\u0021`,
> > + `greeting=H%69,&addressee=(World)`,
> > + `greeting=H%69,&addressee=(World)
> 2x, https://golang.org/favicon.ico 500.5w`,
> > + `,foo/,`,
> > +@@ -233,15 +233,15 @@ func TestTypedContent(t *testing.T) {
> > + {
> > + `<button onclick='alert("{{.}}")'>`,
> > + []string{
> > +- `\x3cb\x3e \x22foo%\x22 O\x27Reilly
> \x26bar;`,
> > +- `a[href =~ \x22\/\/example.com
> \x22]#foo`,
> > +- `Hello, \x3cb\x3eWorld\x3c\/b\x3e
> \x26amp;tc!`,
> > +- ` dir=\x22ltr\x22`,
> > +- `c \x26\x26 alert(\x22Hello,
> World!\x22);`,
> > ++ `\u003cb\u003e \u0022foo%\u0022
> O\u0027Reilly \u0026bar;`,
> > ++ `a[href =~ \u0022\/\/example.com
> \u0022]#foo`,
> > ++ `Hello,
> \u003cb\u003eWorld\u003c\/b\u003e \u0026amp;tc!`,
> > ++ ` dir=\u0022ltr\u0022`,
> > ++ `c \u0026\u0026 alert(\u0022Hello,
> World!\u0022);`,
> > + // Escape sequence not over-escaped.
> > +- `Hello, World \x26 O\x27Reilly\x21`,
> > +- `greeting=H%69,\x26addressee=(World)`,
> > +- `greeting=H%69,\x26addressee=(World) 2x,
> https:\/\/golang.org\/favicon.ico 500.5w`,
> > ++ `Hello, World \u0026
> O\u0027Reilly\u0021`,
> > ++ `greeting=H%69,\u0026addressee=(World)`,
> > ++ `greeting=H%69,\u0026addressee=(World)
> 2x, https:\/\/golang.org\/favicon.ico 500.5w`,
> > + `,foo\/,`,
> > + },
> > + },
> > +@@ -253,7 +253,7 @@ func TestTypedContent(t *testing.T) {
> > +
> `Hello%2c%20%3cb%3eWorld%3c%2fb%3e%20%26amp%3btc%21`,
> > + `%20dir%3d%22ltr%22`,
> > +
> `c%20%26%26%20alert%28%22Hello%2c%20World%21%22%29%3b`,
> > +-
> `Hello%2c%20World%20%26%20O%27Reilly%5cx21`,
> > ++
> `Hello%2c%20World%20%26%20O%27Reilly%5cu0021`,
> > + // Quotes and parens are escaped but %69
> is not over-escaped. HTML escaping is done.
> > +
> `greeting=H%69,&addressee=%28World%29`,
> > +
> `greeting%3dH%2569%2c%26addressee%3d%28World%29%202x%2c%20https%3a%2f%
> 2fgolang.org%2ffavicon.ico%20500.5w`,
> > +@@ -268,7 +268,7 @@ func TestTypedContent(t *testing.T) {
> > +
> `Hello%2c%20%3cb%3eWorld%3c%2fb%3e%20%26amp%3btc%21`,
> > + `%20dir%3d%22ltr%22`,
> > +
> `c%20%26%26%20alert%28%22Hello%2c%20World%21%22%29%3b`,
> > +-
> `Hello%2c%20World%20%26%20O%27Reilly%5cx21`,
> > ++
> `Hello%2c%20World%20%26%20O%27Reilly%5cu0021`,
> > + // Quotes and parens are escaped but %69
> is not over-escaped. HTML escaping is not done.
> > + `greeting=H%69,&addressee=%28World%29`,
> > +
> `greeting%3dH%2569%2c%26addressee%3d%28World%29%202x%2c%20https%3a%2f%
> 2fgolang.org%2ffavicon.ico%20500.5w`,
> > +diff --git a/src/html/template/escape_test.go
> b/src/html/template/escape_test.go
> > +index e72a9ba..c709660 100644
> > +--- a/src/html/template/escape_test.go
> > ++++ b/src/html/template/escape_test.go
> > +@@ -238,7 +238,7 @@ func TestEscape(t *testing.T) {
> > + {
> > + "jsStr",
> > + "<button onclick='alert("{{.H}}")'>",
> > +- `<button
> onclick='alert("\x3cHello\x3e")'>`,
> > ++ `<button
> onclick='alert("\u003cHello\u003e")'>`,
> > + },
> > + {
> > + "badMarshaler",
> > +@@ -259,7 +259,7 @@ func TestEscape(t *testing.T) {
> > + {
> > + "jsRe",
> > + `<button
> onclick='alert(/{{"foo+bar"}}/.test(""))'>`,
> > +- `<button
> onclick='alert(/foo\x2bbar/.test(""))'>`,
> > ++ `<button
> onclick='alert(/foo\u002bbar/.test(""))'>`,
> > + },
> > + {
> > + "jsReBlank",
> > +@@ -825,7 +825,7 @@ func TestEscapeSet(t *testing.T) {
> > + "main": `<button
> onclick="title='{{template "helper"}}'; ...">{{template
> "helper"}}</button>`,
> > + "helper": `{{11}} of {{"<100>"}}`,
> > + },
> > +- `<button onclick="title='11 of \x3c100\x3e';
> ...">11 of <100></button>`,
> > ++ `<button onclick="title='11 of \u003c100\u003e';
> ...">11 of <100></button>`,
> > + },
> > + // A non-recursive template that ends in a different
> context.
> > + // helper starts in jsCtxRegexp and ends in jsCtxDivOp.
> > +diff --git a/src/html/template/example_test.go
> b/src/html/template/example_test.go
> > +index 9d965f1..6cf936f 100644
> > +--- a/src/html/template/example_test.go
> > ++++ b/src/html/template/example_test.go
> > +@@ -116,9 +116,9 @@ func Example_escape() {
> > + // "Fran & Freddie's Diner" &
> lt;tasty@example.com>
> > + // "Fran & Freddie's Diner" &
> lt;tasty@example.com>
> > + // "Fran & Freddie's Diner&#
> 34;32<tasty@example.com>
> > +- // \"Fran \x26 Freddie\'s Diner\" \x3Ctasty@example.com\x3E
> > +- // \"Fran \x26 Freddie\'s Diner\" \x3Ctasty@example.com\x3E
> > +- // \"Fran \x26 Freddie\'s Diner\"32\x3Ctasty@example.com\x3E
> > ++ // \"Fran \u0026 Freddie\'s Diner\" \u003Ctasty@example.com
> \u003E
> > ++ // \"Fran \u0026 Freddie\'s Diner\" \u003Ctasty@example.com
> \u003E
> > ++ // \"Fran \u0026 Freddie\'s Diner\"32\u003Ctasty@example.com
> \u003E
> > + // %22Fran+%26+Freddie%27s+Diner%2232%3Ctasty%40example.com%3E
> > +
> > + }
> > diff --git a/src/html/template/js.go b/src/html/template/js.go
> > index 0e91458..ea9c183 100644
> > --- a/src/html/template/js.go
> > @@ -173,6 +401,217 @@ index 0e91458..ea9c183 100644
> > '?': `\?`,
> > '[': `\[`,
> > '\\': `\\`,
> > +diff --git a/src/html/template/js_test.go b/src/html/template/js_test.go
> > +index 075adaa..d7ee47b 100644
> > +--- a/src/html/template/js_test.go
> > ++++ b/src/html/template/js_test.go
> > +@@ -137,7 +137,7 @@ func TestJSValEscaper(t *testing.T) {
> > + {"foo", `"foo"`},
> > + // Newlines.
> > + {"\r\n\u2028\u2029", `"\r\n\u2028\u2029"`},
> > +- // "\v" == "v" on IE 6 so use "\x0b" instead.
> > ++ // "\v" == "v" on IE 6 so use "\u000b" instead.
> > + {"\t\x0b", `"\t\u000b"`},
> > + {struct{ X, Y int }{1, 2}, `{"X":1,"Y":2}`},
> > + {[]interface{}{}, "[]"},
> > +@@ -173,7 +173,7 @@ func TestJSStrEscaper(t *testing.T) {
> > + }{
> > + {"", ``},
> > + {"foo", `foo`},
> > +- {"\u0000", `\0`},
> > ++ {"\u0000", `\u0000`},
> > + {"\t", `\t`},
> > + {"\n", `\n`},
> > + {"\r", `\r`},
> > +@@ -183,14 +183,14 @@ func TestJSStrEscaper(t *testing.T) {
> > + {"\\n", `\\n`},
> > + {"foo\r\nbar", `foo\r\nbar`},
> > + // Preserve attribute boundaries.
> > +- {`"`, `\x22`},
> > +- {`'`, `\x27`},
> > ++ {`"`, `\u0022`},
> > ++ {`'`, `\u0027`},
> > + // Allow embedding in HTML without further escaping.
> > +- {`&`, `\x26amp;`},
> > ++ {`&`, `\u0026amp;`},
> > + // Prevent breaking out of text node and element
> boundaries.
> > +- {"</script>", `\x3c\/script\x3e`},
> > +- {"<![CDATA[", `\x3c![CDATA[`},
> > +- {"]]>", `]]\x3e`},
> > ++ {"</script>", `\u003c\/script\u003e`},
> > ++ {"<![CDATA[", `\u003c![CDATA[`},
> > ++ {"]]>", `]]\u003e`},
> > + //
> https://dev.w3.org/html5/markup/aria/syntax.html#escaping-text-span
> > + // "The text in style, script, title, and textarea
> elements
> > + // must not have an escaping text span start that is
> not
> > +@@ -201,11 +201,11 @@ func TestJSStrEscaper(t *testing.T) {
> > + // allow regular text content to be interpreted as script
> > + // allowing script execution via a combination of a JS
> string
> > + // injection followed by an HTML text injection.
> > +- {"<!--", `\x3c!--`},
> > +- {"-->", `--\x3e`},
> > ++ {"<!--", `\u003c!--`},
> > ++ {"-->", `--\u003e`},
> > + // From
> https://code.google.com/p/doctype/wiki/ArticleUtf7
> > + {"+ADw-script+AD4-alert(1)+ADw-/script+AD4-",
> > +-
> `\x2bADw-script\x2bAD4-alert(1)\x2bADw-\/script\x2bAD4-`,
> > ++
> `\u002bADw-script\u002bAD4-alert(1)\u002bADw-\/script\u002bAD4-`,
> > + },
> > + // Invalid UTF-8 sequence
> > + {"foo\xA0bar", "foo\xA0bar"},
> > +@@ -228,7 +228,7 @@ func TestJSRegexpEscaper(t *testing.T) {
> > + }{
> > + {"", `(?:)`},
> > + {"foo", `foo`},
> > +- {"\u0000", `\0`},
> > ++ {"\u0000", `\u0000`},
> > + {"\t", `\t`},
> > + {"\n", `\n`},
> > + {"\r", `\r`},
> > +@@ -238,19 +238,19 @@ func TestJSRegexpEscaper(t *testing.T) {
> > + {"\\n", `\\n`},
> > + {"foo\r\nbar", `foo\r\nbar`},
> > + // Preserve attribute boundaries.
> > +- {`"`, `\x22`},
> > +- {`'`, `\x27`},
> > ++ {`"`, `\u0022`},
> > ++ {`'`, `\u0027`},
> > + // Allow embedding in HTML without further escaping.
> > +- {`&`, `\x26amp;`},
> > ++ {`&`, `\u0026amp;`},
> > + // Prevent breaking out of text node and element
> boundaries.
> > +- {"</script>", `\x3c\/script\x3e`},
> > +- {"<![CDATA[", `\x3c!\[CDATA\[`},
> > +- {"]]>", `\]\]\x3e`},
> > ++ {"</script>", `\u003c\/script\u003e`},
> > ++ {"<![CDATA[", `\u003c!\[CDATA\[`},
> > ++ {"]]>", `\]\]\u003e`},
> > + // Escaping text spans.
> > +- {"<!--", `\x3c!\-\-`},
> > +- {"-->", `\-\-\x3e`},
> > ++ {"<!--", `\u003c!\-\-`},
> > ++ {"-->", `\-\-\u003e`},
> > + {"*", `\*`},
> > +- {"+", `\x2b`},
> > ++ {"+", `\u002b`},
> > + {"?", `\?`},
> > + {"[](){}", `\[\]\(\)\{\}`},
> > + {"$foo|x.y", `\$foo\|x\.y`},
> > +@@ -284,27 +284,27 @@ func
> TestEscapersOnLower7AndSelectHighCodepoints(t *testing.T) {
> > + {
> > + "jsStrEscaper",
> > + jsStrEscaper,
> > +- "\\0\x01\x02\x03\x04\x05\x06\x07" +
> > +- "\x08\\t\\n\\x0b\\f\\r\x0E\x0F" +
> > +- "\x10\x11\x12\x13\x14\x15\x16\x17" +
> > +- "\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" +
> > +- ` !\x22#$%\x26\x27()*\x2b,-.\/` +
> > +- `0123456789:;\x3c=\x3e?` +
> > ++
> `\u0000\u0001\u0002\u0003\u0004\u0005\u0006\u0007` +
> > ++ `\u0008\t\n\u000b\f\r\u000e\u000f` +
> > ++
> `\u0010\u0011\u0012\u0013\u0014\u0015\u0016\u0017` +
> > ++
> `\u0018\u0019\u001a\u001b\u001c\u001d\u001e\u001f` +
> > ++ ` !\u0022#$%\u0026\u0027()*\u002b,-.\/` +
> > ++ `0123456789:;\u003c=\u003e?` +
> > + `@ABCDEFGHIJKLMNO` +
> > + `PQRSTUVWXYZ[\\]^_` +
> > + "`abcdefghijklmno" +
> > +- "pqrstuvwxyz{|}~\x7f" +
> > ++ "pqrstuvwxyz{|}~\u007f" +
> > +
> "\u00A0\u0100\\u2028\\u2029\ufeff\U0001D11E",
> > + },
> > + {
> > + "jsRegexpEscaper",
> > + jsRegexpEscaper,
> > +- "\\0\x01\x02\x03\x04\x05\x06\x07" +
> > +- "\x08\\t\\n\\x0b\\f\\r\x0E\x0F" +
> > +- "\x10\x11\x12\x13\x14\x15\x16\x17" +
> > +- "\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" +
> > +- ` !\x22#\$%\x26\x27\(\)\*\x2b,\-\.\/` +
> > +- `0123456789:;\x3c=\x3e\?` +
> > ++
> `\u0000\u0001\u0002\u0003\u0004\u0005\u0006\u0007` +
> > ++ `\u0008\t\n\u000b\f\r\u000e\u000f` +
> > ++
> `\u0010\u0011\u0012\u0013\u0014\u0015\u0016\u0017` +
> > ++
> `\u0018\u0019\u001a\u001b\u001c\u001d\u001e\u001f` +
> > ++ `
> !\u0022#\$%\u0026\u0027\(\)\*\u002b,\-\.\/` +
> > ++ `0123456789:;\u003c=\u003e\?` +
> > + `@ABCDEFGHIJKLMNO` +
> > + `PQRSTUVWXYZ\[\\\]\^_` +
> > + "`abcdefghijklmno" +
> > +diff --git a/src/html/template/template_test.go
> b/src/html/template/template_test.go
> > +index 13e6ba4..86bd4db 100644
> > +--- a/src/html/template/template_test.go
> > ++++ b/src/html/template/template_test.go
> > +@@ -6,6 +6,7 @@ package template_test
> > +
> > + import (
> > + "bytes"
> > ++ "encoding/json"
> > + . "html/template"
> > + "strings"
> > + "testing"
> > +@@ -121,6 +122,44 @@ func TestNumbers(t *testing.T) {
> > + c.mustExecute(c.root, nil, "12.34 7.5")
> > + }
> > +
> > ++func TestStringsInScriptsWithJsonContentTypeAreCorrectlyEscaped(t
> *testing.T) {
> > ++ // See #33671 and #37634 for more context on this.
> > ++ tests := []struct{ name, in string }{
> > ++ {"empty", ""},
> > ++ {"invalid", string(rune(-1))},
> > ++ {"null", "\u0000"},
> > ++ {"unit separator", "\u001F"},
> > ++ {"tab", "\t"},
> > ++ {"gt and lt", "<>"},
> > ++ {"quotes", `'"`},
> > ++ {"ASCII letters", "ASCII letters"},
> > ++ {"Unicode", "ʕ⊙ϖ⊙ʔ"},
> > ++ {"Pizza", "🍕"},
> > ++ }
> > ++ const (
> > ++ prefix = `<script type="application/ld+json">`
> > ++ suffix = `</script>`
> > ++ templ = prefix + `"{{.}}"` + suffix
> > ++ )
> > ++ tpl := Must(New("JS string is JSON string").Parse(templ))
> > ++ for _, tt := range tests {
> > ++ t.Run(tt.name, func(t *testing.T) {
> > ++ var buf bytes.Buffer
> > ++ if err := tpl.Execute(&buf, tt.in); err != nil {
> > ++ t.Fatalf("Cannot render template: %v",
> err)
> > ++ }
> > ++ trimmed :=
> bytes.TrimSuffix(bytes.TrimPrefix(buf.Bytes(), []byte(prefix)),
> []byte(suffix))
> > ++ var got string
> > ++ if err := json.Unmarshal(trimmed, &got); err !=
> nil {
> > ++ t.Fatalf("Cannot parse JS string %q as
> JSON: %v", trimmed[1:len(trimmed)-1], err)
> > ++ }
> > ++ if got != tt.in {
> > ++ t.Errorf("Serialization changed the
> string value: got %q want %q", got, tt.in)
> > ++ }
> > ++ })
> > ++ }
> > ++}
> > ++
> > + type testCase struct {
> > + t *testing.T
> > + root *Template
> > +diff --git a/src/text/template/exec_test.go
> b/src/text/template/exec_test.go
> > +index 77294ed..b8a809e 100644
> > +--- a/src/text/template/exec_test.go
> > ++++ b/src/text/template/exec_test.go
> > +@@ -911,9 +911,9 @@ func TestJSEscaping(t *testing.T) {
> > + {`Go "jump" \`, `Go \"jump\" \\`},
> > + {`Yukihiro says "今日は世界"`, `Yukihiro says \
> > \"今日は世界\"`}, + {"unprintable \uFDFF", `unprintable \
> > \uFDFF`}, +- {`<html>`, `\x3Chtml\x3E`},
> > +- {`no = in attributes`, `no \x3D in attributes`},
> > +- {`' does not become HTML entity`, `\x26#x27; does
> not become HTML entity`},
> > ++ {`<html>`, `\u003Chtml\u003E`},
> > ++ {`no = in attributes`, `no \u003D in attributes`},
> > ++ {`' does not become HTML entity`, `\u0026#x27; does
> not become HTML entity`},
> > + }
> > + for _, tc := range testCases {
> > + s := JSEscapeString(tc.in)
> > diff --git a/src/text/template/funcs.go b/src/text/template/funcs.go
> > index 46125bc..f3de9fb 100644
> > --- a/src/text/template/funcs.go
> > diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538_3.patch
> b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538_3.patch
> > new file mode 100644
> > index 0000000000..cd7dd0957c
> > --- /dev/null
> > +++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538_3.patch
> > @@ -0,0 +1,393 @@
> > +From 7ddce23c7d5b728acf8482f5006497c7b9915f8a Mon Sep 17 00:00:00 2001
> > +From: Ariel Mashraki <ariel@mashraki.co.il>
> > +Date: Wed, 22 Apr 2020 22:17:56 +0300
> > +Subject: [PATCH 3/6] text/template: add CommentNode to template parse
> tree
> > +MIME-Version: 1.0
> > +Content-Type: text/plain; charset=UTF-8
> > +Content-Transfer-Encoding: 8bit
> > +
> > +Fixes #34652
> > +
> > +Change-Id: Icf6e3eda593fed826736f34f95a9d66f5450cc98
> > +Reviewed-on: https://go-review.googlesource.com/c/go/+/229398
> > +Reviewed-by: Daniel Martí <mvdan@mvdan.cc>
> > +Run-TryBot: Daniel Martí <mvdan@mvdan.cc>
> > +TryBot-Result: Gobot Gobot <gobot@golang.org>
> > +
> > +Dependency Patch #3
> > +
> > +Upstream-Status: Backport from
> https://github.com/golang/go/commit/c8ea03828b0645b1fd5725888e44873b75fcfbb6
> > +CVE: CVE-2023-24538
> > +Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
> > +---
> > + api/next.txt | 19 +++++++++++++++++++
> > + src/html/template/escape.go | 2 ++
> > + src/html/template/template_test.go | 16 ++++++++++++++++
> > + src/text/template/exec.go | 1 +
> > + src/text/template/parse/lex.go | 8 +++++++-
> > + src/text/template/parse/lex_test.go | 7 +++++--
> > + src/text/template/parse/node.go | 33
> +++++++++++++++++++++++++++++++++
> > + src/text/template/parse/parse.go | 22 +++++++++++++++++++---
> > + src/text/template/parse/parse_test.go | 25 +++++++++++++++++++++++++
> > + 9 files changed, 127 insertions(+), 6 deletions(-)
> > +
> > +diff --git a/api/next.txt b/api/next.txt
> > +index e69de29..076f39e 100644
> > +--- a/api/next.txt
> > ++++ b/api/next.txt
> > +@@ -0,0 +1,19 @@
> > ++pkg unicode, const Version = "13.0.0"
> > ++pkg unicode, var Chorasmian *RangeTable
> > ++pkg unicode, var Dives_Akuru *RangeTable
> > ++pkg unicode, var Khitan_Small_Script *RangeTable
> > ++pkg unicode, var Yezidi *RangeTable
> > ++pkg text/template/parse, const NodeComment = 20
> > ++pkg text/template/parse, const NodeComment NodeType
> > ++pkg text/template/parse, const ParseComments = 1
> > ++pkg text/template/parse, const ParseComments Mode
> > ++pkg text/template/parse, method (*CommentNode) Copy() Node
> > ++pkg text/template/parse, method (*CommentNode) String() string
> > ++pkg text/template/parse, method (CommentNode) Position() Pos
> > ++pkg text/template/parse, method (CommentNode) Type() NodeType
> > ++pkg text/template/parse, type CommentNode struct
> > ++pkg text/template/parse, type CommentNode struct, Text string
> > ++pkg text/template/parse, type CommentNode struct, embedded NodeType
> > ++pkg text/template/parse, type CommentNode struct, embedded Pos
> > ++pkg text/template/parse, type Mode uint
> > ++pkg text/template/parse, type Tree struct, Mode Mode
> > +diff --git a/src/html/template/escape.go b/src/html/template/escape.go
> > +index f12dafa..8739735 100644
> > +--- a/src/html/template/escape.go
> > ++++ b/src/html/template/escape.go
> > +@@ -124,6 +124,8 @@ func (e *escaper) escape(c context, n parse.Node)
> context {
> > + switch n := n.(type) {
> > + case *parse.ActionNode:
> > + return e.escapeAction(c, n)
> > ++ case *parse.CommentNode:
> > ++ return c
> > + case *parse.IfNode:
> > + return e.escapeBranch(c, &n.BranchNode, "if")
> > + case *parse.ListNode:
> > +diff --git a/src/html/template/template_test.go
> b/src/html/template/template_test.go
> > +index 86bd4db..1f2c888 100644
> > +--- a/src/html/template/template_test.go
> > ++++ b/src/html/template/template_test.go
> > +@@ -10,6 +10,7 @@ import (
> > + . "html/template"
> > + "strings"
> > + "testing"
> > ++ "text/template/parse"
> > + )
> > +
> > + func TestTemplateClone(t *testing.T) {
> > +@@ -160,6 +161,21 @@ func
> TestStringsInScriptsWithJsonContentTypeAreCorrectlyEscaped(t *testing.T) {
> > + }
> > + }
> > +
> > ++func TestSkipEscapeComments(t *testing.T) {
> > ++ c := newTestCase(t)
> > ++ tr := parse.New("root")
> > ++ tr.Mode = parse.ParseComments
> > ++ newT, err := tr.Parse("{{/* A comment */}}{{ 1 }}{{/* Another
> comment */}}", "", "", make(map[string]*parse.Tree))
> > ++ if err != nil {
> > ++ t.Fatalf("Cannot parse template text: %v", err)
> > ++ }
> > ++ c.root, err = c.root.AddParseTree("root", newT)
> > ++ if err != nil {
> > ++ t.Fatalf("Cannot add parse tree to template: %v", err)
> > ++ }
> > ++ c.mustExecute(c.root, nil, "1")
> > ++}
> > ++
> > + type testCase struct {
> > + t *testing.T
> > + root *Template
> > +diff --git a/src/text/template/exec.go b/src/text/template/exec.go
> > +index ac3e741..7ac5175 100644
> > +--- a/src/text/template/exec.go
> > ++++ b/src/text/template/exec.go
> > +@@ -256,6 +256,7 @@ func (s *state) walk(dot reflect.Value, node
> parse.Node) {
> > + if len(node.Pipe.Decl) == 0 {
> > + s.printValue(node, val)
> > + }
> > ++ case *parse.CommentNode:
> > + case *parse.IfNode:
> > + s.walkIfOrWith(parse.NodeIf, dot, node.Pipe, node.List,
> node.ElseList)
> > + case *parse.ListNode:
> > +diff --git a/src/text/template/parse/lex.go
> b/src/text/template/parse/lex.go
> > +index 30371f2..e41373a 100644
> > +--- a/src/text/template/parse/lex.go
> > ++++ b/src/text/template/parse/lex.go
> > +@@ -41,6 +41,7 @@ const (
> > + itemBool // boolean constant
> > + itemChar // printable ASCII character;
> grab bag for comma etc.
> > + itemCharConstant // character constant
> > ++ itemComment // comment text
> > + itemComplex // complex constant (1+2i);
> imaginary is just a number
> > + itemAssign // equals ('=') introducing an
> assignment
> > + itemDeclare // colon-equals (':=')
> introducing a declaration
> > +@@ -112,6 +113,7 @@ type lexer struct {
> > + leftDelim string // start of action
> > + rightDelim string // end of action
> > + trimRightDelim string // end of action with trim marker
> > ++ emitComment bool // emit itemComment tokens.
> > + pos Pos // current position in the input
> > + start Pos // start position of this item
> > + width Pos // width of last rune read from input
> > +@@ -203,7 +205,7 @@ func (l *lexer) drain() {
> > + }
> > +
> > + // lex creates a new scanner for the input string.
> > +-func lex(name, input, left, right string) *lexer {
> > ++func lex(name, input, left, right string, emitComment bool) *lexer {
> > + if left == "" {
> > + left = leftDelim
> > + }
> > +@@ -216,6 +218,7 @@ func lex(name, input, left, right string) *lexer {
> > + leftDelim: left,
> > + rightDelim: right,
> > + trimRightDelim: rightTrimMarker + right,
> > ++ emitComment: emitComment,
> > + items: make(chan item),
> > + line: 1,
> > + startLine: 1,
> > +@@ -323,6 +326,9 @@ func lexComment(l *lexer) stateFn {
> > + if !delim {
> > + return l.errorf("comment ends before closing delimiter")
> > + }
> > ++ if l.emitComment {
> > ++ l.emit(itemComment)
> > ++ }
> > + if trimSpace {
> > + l.pos += trimMarkerLen
> > + }
> > +diff --git a/src/text/template/parse/lex_test.go
> b/src/text/template/parse/lex_test.go
> > +index 563c4fc..f6d5f28 100644
> > +--- a/src/text/template/parse/lex_test.go
> > ++++ b/src/text/template/parse/lex_test.go
> > +@@ -15,6 +15,7 @@ var itemName = map[itemType]string{
> > + itemBool: "bool",
> > + itemChar: "char",
> > + itemCharConstant: "charconst",
> > ++ itemComment: "comment",
> > + itemComplex: "complex",
> > + itemDeclare: ":=",
> > + itemEOF: "EOF",
> > +@@ -90,6 +91,7 @@ var lexTests = []lexTest{
> > + {"text", `now is the time`, []item{mkItem(itemText, "now is the
> time"), tEOF}},
> > + {"text with comment", "hello-{{/* this is a comment */}}-world",
> []item{
> > + mkItem(itemText, "hello-"),
> > ++ mkItem(itemComment, "/* this is a comment */"),
> > + mkItem(itemText, "-world"),
> > + tEOF,
> > + }},
> > +@@ -311,6 +313,7 @@ var lexTests = []lexTest{
> > + }},
> > + {"trimming spaces before and after comment", "hello- {{- /*
> hello */ -}} -world", []item{
> > + mkItem(itemText, "hello-"),
> > ++ mkItem(itemComment, "/* hello */"),
> > + mkItem(itemText, "-world"),
> > + tEOF,
> > + }},
> > +@@ -389,7 +392,7 @@ var lexTests = []lexTest{
> > +
> > + // collect gathers the emitted items into a slice.
> > + func collect(t *lexTest, left, right string) (items []item) {
> > +- l := lex(t.name, t.input, left, right)
> > ++ l := lex(t.name, t.input, left, right, true)
> > + for {
> > + item := l.nextItem()
> > + items = append(items, item)
> > +@@ -529,7 +532,7 @@ func TestPos(t *testing.T) {
> > + func TestShutdown(t *testing.T) {
> > + // We need to duplicate template.Parse here to hold on to the
> lexer.
> > + const text = "erroneous{{define}}{{else}}1234"
> > +- lexer := lex("foo", text, "{{", "}}")
> > ++ lexer := lex("foo", text, "{{", "}}", false)
> > + _, err := New("root").parseLexer(lexer)
> > + if err == nil {
> > + t.Fatalf("expected error")
> > +diff --git a/src/text/template/parse/node.go
> b/src/text/template/parse/node.go
> > +index 1c116ea..a9dad5e 100644
> > +--- a/src/text/template/parse/node.go
> > ++++ b/src/text/template/parse/node.go
> > +@@ -70,6 +70,7 @@ const (
> > + NodeTemplate // A template invocation action.
> > + NodeVariable // A $ variable.
> > + NodeWith // A with action.
> > ++ NodeComment // A comment.
> > + )
> > +
> > + // Nodes.
> > +@@ -149,6 +150,38 @@ func (t *TextNode) Copy() Node {
> > + return &TextNode{tr: t.tr, NodeType: NodeText, Pos: t.Pos,
> Text: append([]byte{}, t.Text...)}
> > + }
> > +
> > ++// CommentNode holds a comment.
> > ++type CommentNode struct {
> > ++ NodeType
> > ++ Pos
> > ++ tr *Tree
> > ++ Text string // Comment text.
> > ++}
> > ++
> > ++func (t *Tree) newComment(pos Pos, text string) *CommentNode {
> > ++ return &CommentNode{tr: t, NodeType: NodeComment, Pos: pos,
> Text: text}
> > ++}
> > ++
> > ++func (c *CommentNode) String() string {
> > ++ var sb strings.Builder
> > ++ c.writeTo(&sb)
> > ++ return sb.String()
> > ++}
> > ++
> > ++func (c *CommentNode) writeTo(sb *strings.Builder) {
> > ++ sb.WriteString("{{")
> > ++ sb.WriteString(c.Text)
> > ++ sb.WriteString("}}")
> > ++}
> > ++
> > ++func (c *CommentNode) tree() *Tree {
> > ++ return c.tr
> > ++}
> > ++
> > ++func (c *CommentNode) Copy() Node {
> > ++ return &CommentNode{tr: c.tr, NodeType: NodeComment, Pos:
> c.Pos, Text: c.Text}
> > ++}
> > ++
> > + // PipeNode holds a pipeline with optional declaration
> > + type PipeNode struct {
> > + NodeType
> > +diff --git a/src/text/template/parse/parse.go
> b/src/text/template/parse/parse.go
> > +index c9b80f4..496d8bf 100644
> > +--- a/src/text/template/parse/parse.go
> > ++++ b/src/text/template/parse/parse.go
> > +@@ -21,6 +21,7 @@ type Tree struct {
> > + Name string // name of the template represented by the
> tree.
> > + ParseName string // name of the top-level template during
> parsing, for error messages.
> > + Root *ListNode // top-level root of the tree.
> > ++ Mode Mode // parsing mode.
> > + text string // text parsed to create the template (or
> its parent)
> > + // Parsing only; cleared after parse.
> > + funcs []map[string]interface{}
> > +@@ -29,8 +30,16 @@ type Tree struct {
> > + peekCount int
> > + vars []string // variables defined at the moment.
> > + treeSet map[string]*Tree
> > ++ mode Mode
> > + }
> > +
> > ++// A mode value is a set of flags (or 0). Modes control parser
> behavior.
> > ++type Mode uint
> > ++
> > ++const (
> > ++ ParseComments Mode = 1 << iota // parse comments and add them to
> AST
> > ++)
> > ++
> > + // Copy returns a copy of the Tree. Any parsing state is discarded.
> > + func (t *Tree) Copy() *Tree {
> > + if t == nil {
> > +@@ -220,7 +229,8 @@ func (t *Tree) stopParse() {
> > + func (t *Tree) Parse(text, leftDelim, rightDelim string, treeSet
> map[string]*Tree, funcs ...map[string]interface{}) (tree *Tree, err error) {
> > + defer t.recover(&err)
> > + t.ParseName = t.Name
> > +- t.startParse(funcs, lex(t.Name, text, leftDelim, rightDelim),
> treeSet)
> > ++ emitComment := t.Mode&ParseComments != 0
> > ++ t.startParse(funcs, lex(t.Name, text, leftDelim, rightDelim,
> emitComment), treeSet)
> > + t.text = text
> > + t.parse()
> > + t.add()
> > +@@ -240,12 +250,14 @@ func (t *Tree) add() {
> > + }
> > + }
> > +
> > +-// IsEmptyTree reports whether this tree (node) is empty of everything
> but space.
> > ++// IsEmptyTree reports whether this tree (node) is empty of everything
> but space or comments.
> > + func IsEmptyTree(n Node) bool {
> > + switch n := n.(type) {
> > + case nil:
> > + return true
> > + case *ActionNode:
> > ++ case *CommentNode:
> > ++ return true
> > + case *IfNode:
> > + case *ListNode:
> > + for _, node := range n.Nodes {
> > +@@ -276,6 +288,7 @@ func (t *Tree) parse() {
> > + if t.nextNonSpace().typ == itemDefine {
> > + newT := New("definition") // name will
> be updated once we know it.
> > + newT.text = t.text
> > ++ newT.Mode = t.Mode
> > + newT.ParseName = t.ParseName
> > + newT.startParse(t.funcs, t.lex,
> t.treeSet)
> > + newT.parseDefinition()
> > +@@ -331,13 +344,15 @@ func (t *Tree) itemList() (list *ListNode, next
> Node) {
> > + }
> > +
> > + // textOrAction:
> > +-// text | action
> > ++// text | comment | action
> > + func (t *Tree) textOrAction() Node {
> > + switch token := t.nextNonSpace(); token.typ {
> > + case itemText:
> > + return t.newText(token.pos, token.val)
> > + case itemLeftDelim:
> > + return t.action()
> > ++ case itemComment:
> > ++ return t.newComment(token.pos, token.val)
> > + default:
> > + t.unexpected(token, "input")
> > + }
> > +@@ -539,6 +554,7 @@ func (t *Tree) blockControl() Node {
> > +
> > + block := New(name) // name will be updated once we know it.
> > + block.text = t.text
> > ++ block.Mode = t.Mode
> > + block.ParseName = t.ParseName
> > + block.startParse(t.funcs, t.lex, t.treeSet)
> > + var end Node
> > +diff --git a/src/text/template/parse/parse_test.go
> b/src/text/template/parse/parse_test.go
> > +index 4e09a78..d9c13c5 100644
> > +--- a/src/text/template/parse/parse_test.go
> > ++++ b/src/text/template/parse/parse_test.go
> > +@@ -348,6 +348,30 @@ func TestParseCopy(t *testing.T) {
> > + testParse(true, t)
> > + }
> > +
> > ++func TestParseWithComments(t *testing.T) {
> > ++ textFormat = "%q"
> > ++ defer func() { textFormat = "%s" }()
> > ++ tests := [...]parseTest{
> > ++ {"comment", "{{/*\n\n\n*/}}", noError, "{{/*\n\n\n*/}}"},
> > ++ {"comment trim left", "x \r\n\t{{- /* hi */}}", noError,
> `"x"{{/* hi */}}`},
> > ++ {"comment trim right", "{{/* hi */ -}}\n\n\ty", noError,
> `{{/* hi */}}"y"`},
> > ++ {"comment trim left and right", "x \r\n\t{{- /* */
> -}}\n\n\ty", noError, `"x"{{/* */}}"y"`},
> > ++ }
> > ++ for _, test := range tests {
> > ++ t.Run(test.name, func(t *testing.T) {
> > ++ tr := New(test.name)
> > ++ tr.Mode = ParseComments
> > ++ tmpl, err := tr.Parse(test.input, "", "",
> make(map[string]*Tree))
> > ++ if err != nil {
> > ++ t.Errorf("%q: expected error; got none",
> test.name)
> > ++ }
> > ++ if result := tmpl.Root.String(); result !=
> test.result {
> > ++ t.Errorf("%s=(%q):
> got\n\t%v\nexpected\n\t%v", test.name, test.input, result, test.result)
> > ++ }
> > ++ })
> > ++ }
> > ++}
> > ++
> > + type isEmptyTest struct {
> > + name string
> > + input string
> > +@@ -358,6 +382,7 @@ var isEmptyTests = []isEmptyTest{
> > + {"empty", ``, true},
> > + {"nonempty", `hello`, false},
> > + {"spaces only", " \t\n \t\n", true},
> > ++ {"comment only", "{{/* comment */}}", true},
> > + {"definition", `{{define "x"}}something{{end}}`, true},
> > + {"definitions and space", "{{define
> `x`}}something{{end}}\n\n{{define `y`}}something{{end}}\n\n", true},
> > + {"definitions and text", "{{define
> `x`}}something{{end}}\nx\n{{define `y`}}something{{end}}\ny\n", false},
> > +--
> > +2.7.4
> > diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538_4.patch
> b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538_4.patch
> > new file mode 100644
> > index 0000000000..d5e2eb6684
> > --- /dev/null
> > +++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538_4.patch
> > @@ -0,0 +1,497 @@
> > +From 760d88497091fb5d6d231a18e6f4e06ecb9af9b2 Mon Sep 17 00:00:00 2001
> > +From: Russ Cox <rsc@golang.org>
> > +Date: Thu, 10 Sep 2020 18:53:26 -0400
> > +Subject: [PATCH 4/6] text/template: allow newlines inside action
> delimiters
> > +
> > +This allows multiline constructs like:
> > +
> > + {{"hello" |
> > + printf}}
> > +
> > +Now that unclosed actions can span multiple lines,
> > +track and report the start of the action when reporting errors.
> > +
> > +Also clean up a few "unexpected <error message>" to be just "<error
> message>".
> > +
> > +Fixes #29770.
> > +
> > +Change-Id: I54c6c016029a8328b7902a4b6d85eab713ec3285
> > +Reviewed-on: https://go-review.googlesource.com/c/go/+/254257
> > +Trust: Russ Cox <rsc@golang.org>
> > +Run-TryBot: Russ Cox <rsc@golang.org>
> > +TryBot-Result: Go Bot <gobot@golang.org>
> > +Reviewed-by: Rob Pike <r@golang.org>
> > +
> > +Dependency Patch #4
> > +
> > +Upstream-Status: Backport from
> https://github.com/golang/go/commit/9384d34c58099657bb1b133beaf3ff37ada9b017
> > +CVE: CVE-2023-24538
> > +Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
> > +---
> > + src/text/template/doc.go | 21 ++++-----
> > + src/text/template/exec_test.go | 2 +-
> > + src/text/template/parse/lex.go | 84
> +++++++++++++++++------------------
> > + src/text/template/parse/lex_test.go | 2 +-
> > + src/text/template/parse/parse.go | 59 +++++++++++++-----------
> > + src/text/template/parse/parse_test.go | 36 ++++++++++++---
> > + 6 files changed, 117 insertions(+), 87 deletions(-)
> > +
> > +diff --git a/src/text/template/doc.go b/src/text/template/doc.go
> > +index 4b0efd2..7b30294 100644
> > +--- a/src/text/template/doc.go
> > ++++ b/src/text/template/doc.go
> > +@@ -40,16 +40,17 @@ More intricate examples appear below.
> > + Text and spaces
> > +
> > + By default, all text between actions is copied verbatim when the
> template is
> > +-executed. For example, the string " items are made of " in the example
> above appears
> > +-on standard output when the program is run.
> > +-
> > +-However, to aid in formatting template source code, if an action's
> left delimiter
> > +-(by default "{{") is followed immediately by a minus sign and ASCII
> space character
> > +-("{{- "), all trailing white space is trimmed from the immediately
> preceding text.
> > +-Similarly, if the right delimiter ("}}") is preceded by a space and
> minus sign
> > +-(" -}}"), all leading white space is trimmed from the immediately
> following text.
> > +-In these trim markers, the ASCII space must be present; "{{-3}}"
> parses as an
> > +-action containing the number -3.
> > ++executed. For example, the string " items are made of " in the example
> above
> > ++appears on standard output when the program is run.
> > ++
> > ++However, to aid in formatting template source code, if an action's left
> > ++delimiter (by default "{{") is followed immediately by a minus sign
> and white
> > ++space, all trailing white space is trimmed from the immediately
> preceding text.
> > ++Similarly, if the right delimiter ("}}") is preceded by white space
> and a minus
> > ++sign, all leading white space is trimmed from the immediately
> following text.
> > ++In these trim markers, the white space must be present:
> > ++"{{- 3}}" is like "{{3}}" but trims the immediately preceding text,
> while
> > ++"{{-3}}" parses as an action containing the number -3.
> > +
> > + For instance, when executing the template whose source is
> > +
> > +diff --git a/src/text/template/exec_test.go
> b/src/text/template/exec_test.go
> > +index b8a809e..3309b33 100644
> > +--- a/src/text/template/exec_test.go
> > ++++ b/src/text/template/exec_test.go
> > +@@ -1295,7 +1295,7 @@ func TestUnterminatedStringError(t *testing.T) {
> > + t.Fatal("expected error")
> > + }
> > + str := err.Error()
> > +- if !strings.Contains(str, "X:3: unexpected unterminated raw
> quoted string") {
> > ++ if !strings.Contains(str, "X:3: unterminated raw quoted string")
> {
> > + t.Fatalf("unexpected error: %s", str)
> > + }
> > + }
> > +diff --git a/src/text/template/parse/lex.go
> b/src/text/template/parse/lex.go
> > +index e41373a..6784071 100644
> > +--- a/src/text/template/parse/lex.go
> > ++++ b/src/text/template/parse/lex.go
> > +@@ -92,15 +92,14 @@ const eof = -1
> > + // If the action begins "{{- " rather than "{{", then all
> space/tab/newlines
> > + // preceding the action are trimmed; conversely if it ends " -}}" the
> > + // leading spaces are trimmed. This is done entirely in the lexer; the
> > +-// parser never sees it happen. We require an ASCII space to be
> > +-// present to avoid ambiguity with things like "{{-3}}". It reads
> > ++// parser never sees it happen. We require an ASCII space (' ', \t,
> \r, \n)
> > ++// to be present to avoid ambiguity with things like "{{-3}}". It reads
> > + // better with the space present anyway. For simplicity, only ASCII
> > +-// space does the job.
> > ++// does the job.
> > + const (
> > +- spaceChars = " \t\r\n" // These are the space characters
> defined by Go itself.
> > +- leftTrimMarker = "- " // Attached to left delimiter, trims
> trailing spaces from preceding text.
> > +- rightTrimMarker = " -" // Attached to right delimiter,
> trims leading spaces from following text.
> > +- trimMarkerLen = Pos(len(leftTrimMarker))
> > ++ spaceChars = " \t\r\n" // These are the space characters
> defined by Go itself.
> > ++ trimMarker = '-' // Attached to left/right delimiter,
> trims trailing spaces from preceding/following text.
> > ++ trimMarkerLen = Pos(1 + 1) // marker plus space before or after
> > + )
> > +
> > + // stateFn represents the state of the scanner as a function that
> returns the next state.
> > +@@ -108,19 +107,18 @@ type stateFn func(*lexer) stateFn
> > +
> > + // lexer holds the state of the scanner.
> > + type lexer struct {
> > +- name string // the name of the input; used only for
> error reports
> > +- input string // the string being scanned
> > +- leftDelim string // start of action
> > +- rightDelim string // end of action
> > +- trimRightDelim string // end of action with trim marker
> > +- emitComment bool // emit itemComment tokens.
> > +- pos Pos // current position in the input
> > +- start Pos // start position of this item
> > +- width Pos // width of last rune read from input
> > +- items chan item // channel of scanned items
> > +- parenDepth int // nesting depth of ( ) exprs
> > +- line int // 1+number of newlines seen
> > +- startLine int // start line of this item
> > ++ name string // the name of the input; used only for
> error reports
> > ++ input string // the string being scanned
> > ++ leftDelim string // start of action
> > ++ rightDelim string // end of action
> > ++ emitComment bool // emit itemComment tokens.
> > ++ pos Pos // current position in the input
> > ++ start Pos // start position of this item
> > ++ width Pos // width of last rune read from input
> > ++ items chan item // channel of scanned items
> > ++ parenDepth int // nesting depth of ( ) exprs
> > ++ line int // 1+number of newlines seen
> > ++ startLine int // start line of this item
> > + }
> > +
> > + // next returns the next rune in the input.
> > +@@ -213,15 +211,14 @@ func lex(name, input, left, right string,
> emitComment bool) *lexer {
> > + right = rightDelim
> > + }
> > + l := &lexer{
> > +- name: name,
> > +- input: input,
> > +- leftDelim: left,
> > +- rightDelim: right,
> > +- trimRightDelim: rightTrimMarker + right,
> > +- emitComment: emitComment,
> > +- items: make(chan item),
> > +- line: 1,
> > +- startLine: 1,
> > ++ name: name,
> > ++ input: input,
> > ++ leftDelim: left,
> > ++ rightDelim: right,
> > ++ emitComment: emitComment,
> > ++ items: make(chan item),
> > ++ line: 1,
> > ++ startLine: 1,
> > + }
> > + go l.run()
> > + return l
> > +@@ -251,7 +248,7 @@ func lexText(l *lexer) stateFn {
> > + ldn := Pos(len(l.leftDelim))
> > + l.pos += Pos(x)
> > + trimLength := Pos(0)
> > +- if strings.HasPrefix(l.input[l.pos+ldn:],
> leftTrimMarker) {
> > ++ if hasLeftTrimMarker(l.input[l.pos+ldn:]) {
> > + trimLength =
> rightTrimLength(l.input[l.start:l.pos])
> > + }
> > + l.pos -= trimLength
> > +@@ -280,7 +277,7 @@ func rightTrimLength(s string) Pos {
> > +
> > + // atRightDelim reports whether the lexer is at a right delimiter,
> possibly preceded by a trim marker.
> > + func (l *lexer) atRightDelim() (delim, trimSpaces bool) {
> > +- if strings.HasPrefix(l.input[l.pos:], l.trimRightDelim) { //
> With trim marker.
> > ++ if hasRightTrimMarker(l.input[l.pos:]) &&
> strings.HasPrefix(l.input[l.pos+trimMarkerLen:], l.rightDelim) { // With
> trim marker.
> > + return true, true
> > + }
> > + if strings.HasPrefix(l.input[l.pos:], l.rightDelim) { // Without
> trim marker.
> > +@@ -297,7 +294,7 @@ func leftTrimLength(s string) Pos {
> > + // lexLeftDelim scans the left delimiter, which is known to be
> present, possibly with a trim marker.
> > + func lexLeftDelim(l *lexer) stateFn {
> > + l.pos += Pos(len(l.leftDelim))
> > +- trimSpace := strings.HasPrefix(l.input[l.pos:], leftTrimMarker)
> > ++ trimSpace := hasLeftTrimMarker(l.input[l.pos:])
> > + afterMarker := Pos(0)
> > + if trimSpace {
> > + afterMarker = trimMarkerLen
> > +@@ -342,7 +339,7 @@ func lexComment(l *lexer) stateFn {
> > +
> > + // lexRightDelim scans the right delimiter, which is known to be
> present, possibly with a trim marker.
> > + func lexRightDelim(l *lexer) stateFn {
> > +- trimSpace := strings.HasPrefix(l.input[l.pos:], rightTrimMarker)
> > ++ trimSpace := hasRightTrimMarker(l.input[l.pos:])
> > + if trimSpace {
> > + l.pos += trimMarkerLen
> > + l.ignore()
> > +@@ -369,7 +366,7 @@ func lexInsideAction(l *lexer) stateFn {
> > + return l.errorf("unclosed left paren")
> > + }
> > + switch r := l.next(); {
> > +- case r == eof || isEndOfLine(r):
> > ++ case r == eof:
> > + return l.errorf("unclosed action")
> > + case isSpace(r):
> > + l.backup() // Put space back in case we have " -}}".
> > +@@ -439,7 +436,7 @@ func lexSpace(l *lexer) stateFn {
> > + }
> > + // Be careful about a trim-marked closing delimiter, which has a
> minus
> > + // after a space. We know there is a space, so check for the '-'
> that might follow.
> > +- if strings.HasPrefix(l.input[l.pos-1:], l.trimRightDelim) {
> > ++ if hasRightTrimMarker(l.input[l.pos-1:]) &&
> strings.HasPrefix(l.input[l.pos-1+trimMarkerLen:], l.rightDelim) {
> > + l.backup() // Before the space.
> > + if numSpaces == 1 {
> > + return lexRightDelim // On the delim, so go
> right to that.
> > +@@ -526,7 +523,7 @@ func lexFieldOrVariable(l *lexer, typ itemType)
> stateFn {
> > + // day to implement arithmetic.
> > + func (l *lexer) atTerminator() bool {
> > + r := l.peek()
> > +- if isSpace(r) || isEndOfLine(r) {
> > ++ if isSpace(r) {
> > + return true
> > + }
> > + switch r {
> > +@@ -657,15 +654,18 @@ Loop:
> > +
> > + // isSpace reports whether r is a space character.
> > + func isSpace(r rune) bool {
> > +- return r == ' ' || r == '\t'
> > +-}
> > +-
> > +-// isEndOfLine reports whether r is an end-of-line character.
> > +-func isEndOfLine(r rune) bool {
> > +- return r == '\r' || r == '\n'
> > ++ return r == ' ' || r == '\t' || r == '\r' || r == '\n'
> > + }
> > +
> > + // isAlphaNumeric reports whether r is an alphabetic, digit, or
> underscore.
> > + func isAlphaNumeric(r rune) bool {
> > + return r == '_' || unicode.IsLetter(r) || unicode.IsDigit(r)
> > + }
> > ++
> > ++func hasLeftTrimMarker(s string) bool {
> > ++ return len(s) >= 2 && s[0] == trimMarker && isSpace(rune(s[1]))
> > ++}
> > ++
> > ++func hasRightTrimMarker(s string) bool {
> > ++ return len(s) >= 2 && isSpace(rune(s[0])) && s[1] == trimMarker
> > ++}
> > +diff --git a/src/text/template/parse/lex_test.go
> b/src/text/template/parse/lex_test.go
> > +index f6d5f28..6510eed 100644
> > +--- a/src/text/template/parse/lex_test.go
> > ++++ b/src/text/template/parse/lex_test.go
> > +@@ -323,7 +323,7 @@ var lexTests = []lexTest{
> > + tLeft,
> > + mkItem(itemError, "unrecognized character in action:
> U+0001"),
> > + }},
> > +- {"unclosed action", "{{\n}}", []item{
> > ++ {"unclosed action", "{{", []item{
> > + tLeft,
> > + mkItem(itemError, "unclosed action"),
> > + }},
> > +diff --git a/src/text/template/parse/parse.go
> b/src/text/template/parse/parse.go
> > +index 496d8bf..5e6e512 100644
> > +--- a/src/text/template/parse/parse.go
> > ++++ b/src/text/template/parse/parse.go
> > +@@ -24,13 +24,14 @@ type Tree struct {
> > + Mode Mode // parsing mode.
> > + text string // text parsed to create the template (or
> its parent)
> > + // Parsing only; cleared after parse.
> > +- funcs []map[string]interface{}
> > +- lex *lexer
> > +- token [3]item // three-token lookahead for parser.
> > +- peekCount int
> > +- vars []string // variables defined at the moment.
> > +- treeSet map[string]*Tree
> > +- mode Mode
> > ++ funcs []map[string]interface{}
> > ++ lex *lexer
> > ++ token [3]item // three-token lookahead for parser.
> > ++ peekCount int
> > ++ vars []string // variables defined at the moment.
> > ++ treeSet map[string]*Tree
> > ++ actionLine int // line of left delim starting action
> > ++ mode Mode
> > + }
> > +
> > + // A mode value is a set of flags (or 0). Modes control parser
> behavior.
> > +@@ -187,6 +188,16 @@ func (t *Tree) expectOneOf(expected1, expected2
> itemType, context string) item {
> > +
> > + // unexpected complains about the token and terminates processing.
> > + func (t *Tree) unexpected(token item, context string) {
> > ++ if token.typ == itemError {
> > ++ extra := ""
> > ++ if t.actionLine != 0 && t.actionLine != token.line {
> > ++ extra = fmt.Sprintf(" in action started at
> %s:%d", t.ParseName, t.actionLine)
> > ++ if strings.HasSuffix(token.val, " action") {
> > ++ extra = extra[len(" in action"):] //
> avoid "action in action"
> > ++ }
> > ++ }
> > ++ t.errorf("%s%s", token, extra)
> > ++ }
> > + t.errorf("unexpected %s in %s", token, context)
> > + }
> > +
> > +@@ -350,6 +361,8 @@ func (t *Tree) textOrAction() Node {
> > + case itemText:
> > + return t.newText(token.pos, token.val)
> > + case itemLeftDelim:
> > ++ t.actionLine = token.line
> > ++ defer t.clearActionLine()
> > + return t.action()
> > + case itemComment:
> > + return t.newComment(token.pos, token.val)
> > +@@ -359,6 +372,10 @@ func (t *Tree) textOrAction() Node {
> > + return nil
> > + }
> > +
> > ++func (t *Tree) clearActionLine() {
> > ++ t.actionLine = 0
> > ++}
> > ++
> > + // Action:
> > + // control
> > + // command ("|" command)*
> > +@@ -384,12 +401,12 @@ func (t *Tree) action() (n Node) {
> > + t.backup()
> > + token := t.peek()
> > + // Do not pop variables; they persist until "end".
> > +- return t.newAction(token.pos, token.line, t.pipeline("command"))
> > ++ return t.newAction(token.pos, token.line, t.pipeline("command",
> itemRightDelim))
> > + }
> > +
> > + // Pipeline:
> > + // declarations? command ('|' command)*
> > +-func (t *Tree) pipeline(context string) (pipe *PipeNode) {
> > ++func (t *Tree) pipeline(context string, end itemType) (pipe *PipeNode)
> {
> > + token := t.peekNonSpace()
> > + pipe = t.newPipeline(token.pos, token.line, nil)
> > + // Are there declarations or assignments?
> > +@@ -430,12 +447,9 @@ decls:
> > + }
> > + for {
> > + switch token := t.nextNonSpace(); token.typ {
> > +- case itemRightDelim, itemRightParen:
> > ++ case end:
> > + // At this point, the pipeline is complete
> > + t.checkPipeline(pipe, context)
> > +- if token.typ == itemRightParen {
> > +- t.backup()
> > +- }
> > + return
> > + case itemBool, itemCharConstant, itemComplex, itemDot,
> itemField, itemIdentifier,
> > + itemNumber, itemNil, itemRawString, itemString,
> itemVariable, itemLeftParen:
> > +@@ -464,7 +478,7 @@ func (t *Tree) checkPipeline(pipe *PipeNode,
> context string) {
> > +
> > + func (t *Tree) parseControl(allowElseIf bool, context string) (pos
> Pos, line int, pipe *PipeNode, list, elseList *ListNode) {
> > + defer t.popVars(len(t.vars))
> > +- pipe = t.pipeline(context)
> > ++ pipe = t.pipeline(context, itemRightDelim)
> > + var next Node
> > + list, next = t.itemList()
> > + switch next.Type() {
> > +@@ -550,7 +564,7 @@ func (t *Tree) blockControl() Node {
> > +
> > + token := t.nextNonSpace()
> > + name := t.parseTemplateName(token, context)
> > +- pipe := t.pipeline(context)
> > ++ pipe := t.pipeline(context, itemRightDelim)
> > +
> > + block := New(name) // name will be updated once we know it.
> > + block.text = t.text
> > +@@ -580,7 +594,7 @@ func (t *Tree) templateControl() Node {
> > + if t.nextNonSpace().typ != itemRightDelim {
> > + t.backup()
> > + // Do not pop variables; they persist until "end".
> > +- pipe = t.pipeline(context)
> > ++ pipe = t.pipeline(context, itemRightDelim)
> > + }
> > + return t.newTemplate(token.pos, token.line, name, pipe)
> > + }
> > +@@ -614,13 +628,12 @@ func (t *Tree) command() *CommandNode {
> > + switch token := t.next(); token.typ {
> > + case itemSpace:
> > + continue
> > +- case itemError:
> > +- t.errorf("%s", token.val)
> > + case itemRightDelim, itemRightParen:
> > + t.backup()
> > + case itemPipe:
> > ++ // nothing here; break loop below
> > + default:
> > +- t.errorf("unexpected %s in operand", token)
> > ++ t.unexpected(token, "operand")
> > + }
> > + break
> > + }
> > +@@ -675,8 +688,6 @@ func (t *Tree) operand() Node {
> > + // A nil return means the next item is not a term.
> > + func (t *Tree) term() Node {
> > + switch token := t.nextNonSpace(); token.typ {
> > +- case itemError:
> > +- t.errorf("%s", token.val)
> > + case itemIdentifier:
> > + if !t.hasFunction(token.val) {
> > + t.errorf("function %q not defined", token.val)
> > +@@ -699,11 +710,7 @@ func (t *Tree) term() Node {
> > + }
> > + return number
> > + case itemLeftParen:
> > +- pipe := t.pipeline("parenthesized pipeline")
> > +- if token := t.next(); token.typ != itemRightParen {
> > +- t.errorf("unclosed right paren: unexpected %s",
> token)
> > +- }
> > +- return pipe
> > ++ return t.pipeline("parenthesized pipeline",
> itemRightParen)
> > + case itemString, itemRawString:
> > + s, err := strconv.Unquote(token.val)
> > + if err != nil {
> > +diff --git a/src/text/template/parse/parse_test.go
> b/src/text/template/parse/parse_test.go
> > +index d9c13c5..220f984 100644
> > +--- a/src/text/template/parse/parse_test.go
> > ++++ b/src/text/template/parse/parse_test.go
> > +@@ -250,6 +250,13 @@ var parseTests = []parseTest{
> > + {"comment trim left and right", "x \r\n\t{{- /* */ -}}\n\n\ty",
> noError, `"x""y"`},
> > + {"block definition", `{{block "foo" .}}hello{{end}}`, noError,
> > + `{{template "foo" .}}`},
> > ++
> > ++ {"newline in assignment", "{{ $x \n := \n 1 \n }}", noError,
> "{{$x := 1}}"},
> > ++ {"newline in empty action", "{{\n}}", hasError, "{{\n}}"},
> > ++ {"newline in pipeline", "{{\n\"x\"\n|\nprintf\n}}", noError,
> `{{"x" | printf}}`},
> > ++ {"newline in comment", "{{/*\nhello\n*/}}", noError, ""},
> > ++ {"newline in comment", "{{-\n/*\nhello\n*/\n-}}", noError, ""},
> > ++
> > + // Errors.
> > + {"unclosed action", "hello{{range", hasError, ""},
> > + {"unmatched end", "{{end}}", hasError, ""},
> > +@@ -426,23 +433,38 @@ var errorTests = []parseTest{
> > + // Check line numbers are accurate.
> > + {"unclosed1",
> > + "line1\n{{",
> > +- hasError, `unclosed1:2: unexpected unclosed action in
> command`},
> > ++ hasError, `unclosed1:2: unclosed action`},
> > + {"unclosed2",
> > + "line1\n{{define `x`}}line2\n{{",
> > +- hasError, `unclosed2:3: unexpected unclosed action in
> command`},
> > ++ hasError, `unclosed2:3: unclosed action`},
> > ++ {"unclosed3",
> > ++ "line1\n{{\"x\"\n\"y\"\n",
> > ++ hasError, `unclosed3:4: unclosed action started at
> unclosed3:2`},
> > ++ {"unclosed4",
> > ++ "{{\n\n\n\n\n",
> > ++ hasError, `unclosed4:6: unclosed action started at
> unclosed4:1`},
> > ++ {"var1",
> > ++ "line1\n{{\nx\n}}",
> > ++ hasError, `var1:3: function "x" not defined`},
> > + // Specific errors.
> > + {"function",
> > + "{{foo}}",
> > + hasError, `function "foo" not defined`},
> > +- {"comment",
> > ++ {"comment1",
> > + "{{/*}}",
> > +- hasError, `unclosed comment`},
> > ++ hasError, `comment1:1: unclosed comment`},
> > ++ {"comment2",
> > ++ "{{/*\nhello\n}}",
> > ++ hasError, `comment2:1: unclosed comment`},
> > + {"lparen",
> > + "{{.X (1 2 3}}",
> > + hasError, `unclosed left paren`},
> > + {"rparen",
> > +- "{{.X 1 2 3)}}",
> > +- hasError, `unexpected ")"`},
> > ++ "{{.X 1 2 3 ) }}",
> > ++ hasError, `unexpected ")" in command`},
> > ++ {"rparen2",
> > ++ "{{(.X 1 2 3",
> > ++ hasError, `unclosed action`},
> > + {"space",
> > + "{{`x`3}}",
> > + hasError, `in operand`},
> > +@@ -488,7 +510,7 @@ var errorTests = []parseTest{
> > + hasError, `missing value for parenthesized pipeline`},
> > + {"multilinerawstring",
> > + "{{ $v := `\n` }} {{",
> > +- hasError, `multilinerawstring:2: unexpected unclosed
> action`},
> > ++ hasError, `multilinerawstring:2: unclosed action`},
> > + {"rangeundefvar",
> > + "{{range $k}}{{end}}",
> > + hasError, `undefined variable`},
> > +--
> > +2.7.4
> > diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538_5.patch
> b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538_5.patch
> > new file mode 100644
> > index 0000000000..fc38929648
> > --- /dev/null
> > +++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538_5.patch
> > @@ -0,0 +1,585 @@
> > +From e0e6bca6ddc0e6d9fa3a5b644af9b446924fbf83 Mon Sep 17 00:00:00 2001
> > +From: Russ Cox <rsc@golang.org>
> > +Date: Thu, 20 May 2021 12:46:33 -0400
> > +Subject: [PATCH 5/6] html/template, text/template: implement break and
> > + continue for range loops
> > +
> > +Break and continue for range loops was accepted as a proposal in June
> 2017.
> > +It was implemented in CL 66410 (Oct 2017)
> > +but then rolled back in CL 92155 (Feb 2018)
> > +because html/template changes had not been implemented.
> > +
> > +This CL reimplements break and continue in text/template
> > +and then adds support for them in html/template as well.
> > +
> > +Fixes #20531.
> > +
> > +Change-Id: I05330482a976f1c078b4b49c2287bd9031bb7616
> > +Reviewed-on: https://go-review.googlesource.com/c/go/+/321491
> > +Trust: Russ Cox <rsc@golang.org>
> > +Run-TryBot: Russ Cox <rsc@golang.org>
> > +TryBot-Result: Go Bot <gobot@golang.org>
> > +Reviewed-by: Rob Pike <r@golang.org>
> > +
> > +Dependency Patch #5
> > +
> > +Upstream-Status: Backport from
> https://github.com/golang/go/commit/d0dd26a88c019d54f22463daae81e785f5867565
> > +CVE: CVE-2023-24538
> > +Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
> > +---
> > + src/html/template/context.go | 4 ++
> > + src/html/template/escape.go | 71
> ++++++++++++++++++++++++++++++++++-
> > + src/html/template/escape_test.go | 24 ++++++++++++
> > + src/text/template/doc.go | 8 ++++
> > + src/text/template/exec.go | 24 +++++++++++-
> > + src/text/template/exec_test.go | 2 +
> > + src/text/template/parse/lex.go | 13 ++++++-
> > + src/text/template/parse/lex_test.go | 2 +
> > + src/text/template/parse/node.go | 36 ++++++++++++++++++
> > + src/text/template/parse/parse.go | 42 ++++++++++++++++++++-
> > + src/text/template/parse/parse_test.go | 8 ++++
> > + 11 files changed, 230 insertions(+), 4 deletions(-)
> > +
> > +diff --git a/src/html/template/context.go b/src/html/template/context.go
> > +index f7d4849..aaa7d08 100644
> > +--- a/src/html/template/context.go
> > ++++ b/src/html/template/context.go
> > +@@ -6,6 +6,7 @@ package template
> > +
> > + import (
> > + "fmt"
> > ++ "text/template/parse"
> > + )
> > +
> > + // context describes the state an HTML parser must be in when it
> reaches the
> > +@@ -22,6 +23,7 @@ type context struct {
> > + jsCtx jsCtx
> > + attr attr
> > + element element
> > ++ n parse.Node // for range break/continue
> > + err *Error
> > + }
> > +
> > +@@ -141,6 +143,8 @@ const (
> > + // stateError is an infectious error state outside any valid
> > + // HTML/CSS/JS construct.
> > + stateError
> > ++ // stateDead marks unreachable code after a {{break}} or
> {{continue}}.
> > ++ stateDead
> > + )
> > +
> > + // isComment is true for any state that contains content meant for
> template
> > +diff --git a/src/html/template/escape.go b/src/html/template/escape.go
> > +index 8739735..6dea79c 100644
> > +--- a/src/html/template/escape.go
> > ++++ b/src/html/template/escape.go
> > +@@ -97,6 +97,15 @@ type escaper struct {
> > + actionNodeEdits map[*parse.ActionNode][]string
> > + templateNodeEdits map[*parse.TemplateNode]string
> > + textNodeEdits map[*parse.TextNode][]byte
> > ++ // rangeContext holds context about the current range loop.
> > ++ rangeContext *rangeContext
> > ++}
> > ++
> > ++// rangeContext holds information about the current range loop.
> > ++type rangeContext struct {
> > ++ outer *rangeContext // outer loop
> > ++ breaks []context // context at each break action
> > ++ continues []context // context at each continue action
> > + }
> > +
> > + // makeEscaper creates a blank escaper for the given set.
> > +@@ -109,6 +118,7 @@ func makeEscaper(n *nameSpace) escaper {
> > + map[*parse.ActionNode][]string{},
> > + map[*parse.TemplateNode]string{},
> > + map[*parse.TextNode][]byte{},
> > ++ nil,
> > + }
> > + }
> > +
> > +@@ -124,8 +134,16 @@ func (e *escaper) escape(c context, n parse.Node)
> context {
> > + switch n := n.(type) {
> > + case *parse.ActionNode:
> > + return e.escapeAction(c, n)
> > ++ case *parse.BreakNode:
> > ++ c.n = n
> > ++ e.rangeContext.breaks = append(e.rangeContext.breaks, c)
> > ++ return context{state: stateDead}
> > + case *parse.CommentNode:
> > + return c
> > ++ case *parse.ContinueNode:
> > ++ c.n = n
> > ++ e.rangeContext.continues = append(e.rangeContext.breaks,
> c)
> > ++ return context{state: stateDead}
> > + case *parse.IfNode:
> > + return e.escapeBranch(c, &n.BranchNode, "if")
> > + case *parse.ListNode:
> > +@@ -427,6 +445,12 @@ func join(a, b context, node parse.Node, nodeName
> string) context {
> > + if b.state == stateError {
> > + return b
> > + }
> > ++ if a.state == stateDead {
> > ++ return b
> > ++ }
> > ++ if b.state == stateDead {
> > ++ return a
> > ++ }
> > + if a.eq(b) {
> > + return a
> > + }
> > +@@ -466,14 +490,27 @@ func join(a, b context, node parse.Node, nodeName
> string) context {
> > +
> > + // escapeBranch escapes a branch template node: "if", "range" and
> "with".
> > + func (e *escaper) escapeBranch(c context, n *parse.BranchNode,
> nodeName string) context {
> > ++ if nodeName == "range" {
> > ++ e.rangeContext = &rangeContext{outer: e.rangeContext}
> > ++ }
> > + c0 := e.escapeList(c, n.List)
> > +- if nodeName == "range" && c0.state != stateError {
> > ++ if nodeName == "range" {
> > ++ if c0.state != stateError {
> > ++ c0 = joinRange(c0, e.rangeContext)
> > ++ }
> > ++ e.rangeContext = e.rangeContext.outer
> > ++ if c0.state == stateError {
> > ++ return c0
> > ++ }
> > ++
> > + // The "true" branch of a "range" node can execute
> multiple times.
> > + // We check that executing n.List once results in the
> same context
> > + // as executing n.List twice.
> > ++ e.rangeContext = &rangeContext{outer: e.rangeContext}
> > + c1, _ := e.escapeListConditionally(c0, n.List, nil)
> > + c0 = join(c0, c1, n, nodeName)
> > + if c0.state == stateError {
> > ++ e.rangeContext = e.rangeContext.outer
> > + // Make clear that this is a problem on loop
> re-entry
> > + // since developers tend to overlook that branch
> when
> > + // debugging templates.
> > +@@ -481,11 +518,39 @@ func (e *escaper) escapeBranch(c context, n
> *parse.BranchNode, nodeName string)
> > + c0.err.Description = "on range loop re-entry: "
> + c0.err.Description
> > + return c0
> > + }
> > ++ c0 = joinRange(c0, e.rangeContext)
> > ++ e.rangeContext = e.rangeContext.outer
> > ++ if c0.state == stateError {
> > ++ return c0
> > ++ }
> > + }
> > + c1 := e.escapeList(c, n.ElseList)
> > + return join(c0, c1, n, nodeName)
> > + }
> > +
> > ++func joinRange(c0 context, rc *rangeContext) context {
> > ++ // Merge contexts at break and continue statements into overall
> body context.
> > ++ // In theory we could treat breaks differently from continues,
> but for now it is
> > ++ // enough to treat them both as going back to the start of the
> loop (which may then stop).
> > ++ for _, c := range rc.breaks {
> > ++ c0 = join(c0, c, c.n, "range")
> > ++ if c0.state == stateError {
> > ++ c0.err.Line = c.n.(*parse.BreakNode).Line
> > ++ c0.err.Description = "at range loop break: " +
> c0.err.Description
> > ++ return c0
> > ++ }
> > ++ }
> > ++ for _, c := range rc.continues {
> > ++ c0 = join(c0, c, c.n, "range")
> > ++ if c0.state == stateError {
> > ++ c0.err.Line = c.n.(*parse.ContinueNode).Line
> > ++ c0.err.Description = "at range loop continue: "
> + c0.err.Description
> > ++ return c0
> > ++ }
> > ++ }
> > ++ return c0
> > ++}
> > ++
> > + // escapeList escapes a list template node.
> > + func (e *escaper) escapeList(c context, n *parse.ListNode) context {
> > + if n == nil {
> > +@@ -493,6 +558,9 @@ func (e *escaper) escapeList(c context, n
> *parse.ListNode) context {
> > + }
> > + for _, m := range n.Nodes {
> > + c = e.escape(c, m)
> > ++ if c.state == stateDead {
> > ++ break
> > ++ }
> > + }
> > + return c
> > + }
> > +@@ -503,6 +571,7 @@ func (e *escaper) escapeList(c context, n
> *parse.ListNode) context {
> > + // which is the same as whether e was updated.
> > + func (e *escaper) escapeListConditionally(c context, n
> *parse.ListNode, filter func(*escaper, context) bool) (context, bool) {
> > + e1 := makeEscaper(e.ns)
> > ++ e1.rangeContext = e.rangeContext
> > + // Make type inferences available to f.
> > + for k, v := range e.output {
> > + e1.output[k] = v
> > +diff --git a/src/html/template/escape_test.go
> b/src/html/template/escape_test.go
> > +index c709660..fa2b84a 100644
> > +--- a/src/html/template/escape_test.go
> > ++++ b/src/html/template/escape_test.go
> > +@@ -920,6 +920,22 @@ func TestErrors(t *testing.T) {
> > + "<a href='/foo?{{range
> .Items}}&{{.K}}={{.V}}{{end}}'>",
> > + "",
> > + },
> > ++ {
> > ++ "{{range .Items}}<a{{if .X}}{{end}}>{{end}}",
> > ++ "",
> > ++ },
> > ++ {
> > ++ "{{range .Items}}<a{{if
> .X}}{{end}}>{{continue}}{{end}}",
> > ++ "",
> > ++ },
> > ++ {
> > ++ "{{range .Items}}<a{{if
> .X}}{{end}}>{{break}}{{end}}",
> > ++ "",
> > ++ },
> > ++ {
> > ++ "{{range .Items}}<a{{if .X}}{{end}}>{{if
> .X}}{{break}}{{end}}{{end}}",
> > ++ "",
> > ++ },
> > + // Error cases.
> > + {
> > + "{{if .Cond}}<a{{end}}",
> > +@@ -956,6 +972,14 @@ func TestErrors(t *testing.T) {
> > + "z:2:8: on range loop re-entry: {{range}}
> branches",
> > + },
> > + {
> > ++ "{{range .Items}}<a{{if
> .X}}{{break}}{{end}}>{{end}}",
> > ++ "z:1:29: at range loop break: {{range}} branches
> end in different contexts",
> > ++ },
> > ++ {
> > ++ "{{range .Items}}<a{{if
> .X}}{{continue}}{{end}}>{{end}}",
> > ++ "z:1:29: at range loop continue: {{range}}
> branches end in different contexts",
> > ++ },
> > ++ {
> > + "<a b=1 c={{.H}}",
> > + "z: ends in a non-text context: {stateAttr
> delimSpaceOrTagEnd",
> > + },
> > +diff --git a/src/text/template/doc.go b/src/text/template/doc.go
> > +index 7b30294..0228b15 100644
> > +--- a/src/text/template/doc.go
> > ++++ b/src/text/template/doc.go
> > +@@ -112,6 +112,14 @@ data, defined in detail in the corresponding
> sections that follow.
> > + T0 is executed; otherwise, dot is set to the successive
> elements
> > + of the array, slice, or map and T1 is executed.
> > +
> > ++ {{break}}
> > ++ The innermost {{range pipeline}} loop is ended early,
> stopping the
> > ++ current iteration and bypassing all remaining iterations.
> > ++
> > ++ {{continue}}
> > ++ The current iteration of the innermost {{range
> pipeline}} loop is
> > ++ stopped, and the loop starts the next iteration.
> > ++
> > + {{template "name"}}
> > + The template with the specified name is executed with
> nil data.
> > +
> > +diff --git a/src/text/template/exec.go b/src/text/template/exec.go
> > +index 7ac5175..6cb140a 100644
> > +--- a/src/text/template/exec.go
> > ++++ b/src/text/template/exec.go
> > +@@ -5,6 +5,7 @@
> > + package template
> > +
> > + import (
> > ++ "errors"
> > + "fmt"
> > + "internal/fmtsort"
> > + "io"
> > +@@ -244,6 +245,12 @@ func (t *Template) DefinedTemplates() string {
> > + return b.String()
> > + }
> > +
> > ++// Sentinel errors for use with panic to signal early exits from range
> loops.
> > ++var (
> > ++ walkBreak = errors.New("break")
> > ++ walkContinue = errors.New("continue")
> > ++)
> > ++
> > + // Walk functions step through the major pieces of the template
> structure,
> > + // generating output as they go.
> > + func (s *state) walk(dot reflect.Value, node parse.Node) {
> > +@@ -256,7 +263,11 @@ func (s *state) walk(dot reflect.Value, node
> parse.Node) {
> > + if len(node.Pipe.Decl) == 0 {
> > + s.printValue(node, val)
> > + }
> > ++ case *parse.BreakNode:
> > ++ panic(walkBreak)
> > + case *parse.CommentNode:
> > ++ case *parse.ContinueNode:
> > ++ panic(walkContinue)
> > + case *parse.IfNode:
> > + s.walkIfOrWith(parse.NodeIf, dot, node.Pipe, node.List,
> node.ElseList)
> > + case *parse.ListNode:
> > +@@ -335,6 +346,11 @@ func isTrue(val reflect.Value) (truth, ok bool) {
> > +
> > + func (s *state) walkRange(dot reflect.Value, r *parse.RangeNode) {
> > + s.at(r)
> > ++ defer func() {
> > ++ if r := recover(); r != nil && r != walkBreak {
> > ++ panic(r)
> > ++ }
> > ++ }()
> > + defer s.pop(s.mark())
> > + val, _ := indirect(s.evalPipeline(dot, r.Pipe))
> > + // mark top of stack before any variables in the body are pushed.
> > +@@ -348,8 +364,14 @@ func (s *state) walkRange(dot reflect.Value, r
> *parse.RangeNode) {
> > + if len(r.Pipe.Decl) > 1 {
> > + s.setTopVar(2, index)
> > + }
> > ++ defer s.pop(mark)
> > ++ defer func() {
> > ++ // Consume panic(walkContinue)
> > ++ if r := recover(); r != nil && r != walkContinue
> {
> > ++ panic(r)
> > ++ }
> > ++ }()
> > + s.walk(elem, r.List)
> > +- s.pop(mark)
> > + }
> > + switch val.Kind() {
> > + case reflect.Array, reflect.Slice:
> > +diff --git a/src/text/template/exec_test.go
> b/src/text/template/exec_test.go
> > +index 3309b33..a639f44 100644
> > +--- a/src/text/template/exec_test.go
> > ++++ b/src/text/template/exec_test.go
> > +@@ -563,6 +563,8 @@ var execTests = []execTest{
> > + {"range empty no else", "{{range .SIEmpty}}-{{.}}-{{end}}", "",
> tVal, true},
> > + {"range []int else", "{{range .SI}}-{{.}}-{{else}}EMPTY{{end}}",
> "-3--4--5-", tVal, true},
> > + {"range empty else", "{{range
> .SIEmpty}}-{{.}}-{{else}}EMPTY{{end}}", "EMPTY", tVal, true},
> > ++ {"range []int break else", "{{range
> .SI}}-{{.}}-{{break}}NOTREACHED{{else}}EMPTY{{end}}", "-3-", tVal, true},
> > ++ {"range []int continue else", "{{range
> .SI}}-{{.}}-{{continue}}NOTREACHED{{else}}EMPTY{{end}}", "-3--4--5-", tVal,
> true},
> > + {"range []bool", "{{range .SB}}-{{.}}-{{end}}", "-true--false-",
> tVal, true},
> > + {"range []int method", "{{range .SI | .MAdd .I}}-{{.}}-{{end}}",
> "-20--21--22-", tVal, true},
> > + {"range map", "{{range .MSI}}-{{.}}-{{end}}", "-1--3--2-", tVal,
> true},
> > +diff --git a/src/text/template/parse/lex.go
> b/src/text/template/parse/lex.go
> > +index 6784071..95e3377 100644
> > +--- a/src/text/template/parse/lex.go
> > ++++ b/src/text/template/parse/lex.go
> > +@@ -62,6 +62,8 @@ const (
> > + // Keywords appear after all the rest.
> > + itemKeyword // used only to delimit the keywords
> > + itemBlock // block keyword
> > ++ itemBreak // break keyword
> > ++ itemContinue // continue keyword
> > + itemDot // the cursor, spelled '.'
> > + itemDefine // define keyword
> > + itemElse // else keyword
> > +@@ -76,6 +78,8 @@ const (
> > + var key = map[string]itemType{
> > + ".": itemDot,
> > + "block": itemBlock,
> > ++ "break": itemBreak,
> > ++ "continue": itemContinue,
> > + "define": itemDefine,
> > + "else": itemElse,
> > + "end": itemEnd,
> > +@@ -119,6 +123,8 @@ type lexer struct {
> > + parenDepth int // nesting depth of ( ) exprs
> > + line int // 1+number of newlines seen
> > + startLine int // start line of this item
> > ++ breakOK bool // break keyword allowed
> > ++ continueOK bool // continue keyword allowed
> > + }
> > +
> > + // next returns the next rune in the input.
> > +@@ -461,7 +467,12 @@ Loop:
> > + }
> > + switch {
> > + case key[word] > itemKeyword:
> > +- l.emit(key[word])
> > ++ item := key[word]
> > ++ if item == itemBreak && !l.breakOK ||
> item == itemContinue && !l.continueOK {
> > ++ l.emit(itemIdentifier)
> > ++ } else {
> > ++ l.emit(item)
> > ++ }
> > + case word[0] == '.':
> > + l.emit(itemField)
> > + case word == "true", word == "false":
> > +diff --git a/src/text/template/parse/lex_test.go
> b/src/text/template/parse/lex_test.go
> > +index 6510eed..df6aabf 100644
> > +--- a/src/text/template/parse/lex_test.go
> > ++++ b/src/text/template/parse/lex_test.go
> > +@@ -35,6 +35,8 @@ var itemName = map[itemType]string{
> > + // keywords
> > + itemDot: ".",
> > + itemBlock: "block",
> > ++ itemBreak: "break",
> > ++ itemContinue: "continue",
> > + itemDefine: "define",
> > + itemElse: "else",
> > + itemIf: "if",
> > +diff --git a/src/text/template/parse/node.go
> b/src/text/template/parse/node.go
> > +index a9dad5e..c398da0 100644
> > +--- a/src/text/template/parse/node.go
> > ++++ b/src/text/template/parse/node.go
> > +@@ -71,6 +71,8 @@ const (
> > + NodeVariable // A $ variable.
> > + NodeWith // A with action.
> > + NodeComment // A comment.
> > ++ NodeBreak // A break action.
> > ++ NodeContinue // A continue action.
> > + )
> > +
> > + // Nodes.
> > +@@ -907,6 +909,40 @@ func (i *IfNode) Copy() Node {
> > + return i.tr.newIf(i.Pos, i.Line, i.Pipe.CopyPipe(),
> i.List.CopyList(), i.ElseList.CopyList())
> > + }
> > +
> > ++// BreakNode represents a {{break}} action.
> > ++type BreakNode struct {
> > ++ tr *Tree
> > ++ NodeType
> > ++ Pos
> > ++ Line int
> > ++}
> > ++
> > ++func (t *Tree) newBreak(pos Pos, line int) *BreakNode {
> > ++ return &BreakNode{tr: t, NodeType: NodeBreak, Pos: pos, Line:
> line}
> > ++}
> > ++
> > ++func (b *BreakNode) Copy() Node { return
> b.tr.newBreak(b.Pos, b.Line) }
> > ++func (b *BreakNode) String() string { return "{{break}}" }
> > ++func (b *BreakNode) tree() *Tree { return b.tr }
> > ++func (b *BreakNode) writeTo(sb *strings.Builder) {
> sb.WriteString("{{break}}") }
> > ++
> > ++// ContinueNode represents a {{continue}} action.
> > ++type ContinueNode struct {
> > ++ tr *Tree
> > ++ NodeType
> > ++ Pos
> > ++ Line int
> > ++}
> > ++
> > ++func (t *Tree) newContinue(pos Pos, line int) *ContinueNode {
> > ++ return &ContinueNode{tr: t, NodeType: NodeContinue, Pos: pos,
> Line: line}
> > ++}
> > ++
> > ++func (c *ContinueNode) Copy() Node { return
> c.tr.newContinue(c.Pos, c.Line) }
> > ++func (c *ContinueNode) String() string { return
> "{{continue}}" }
> > ++func (c *ContinueNode) tree() *Tree { return c.tr }
> > ++func (c *ContinueNode) writeTo(sb *strings.Builder) {
> sb.WriteString("{{continue}}") }
> > ++
> > + // RangeNode represents a {{range}} action and its commands.
> > + type RangeNode struct {
> > + BranchNode
> > +diff --git a/src/text/template/parse/parse.go
> b/src/text/template/parse/parse.go
> > +index 5e6e512..7f78b56 100644
> > +--- a/src/text/template/parse/parse.go
> > ++++ b/src/text/template/parse/parse.go
> > +@@ -31,6 +31,7 @@ type Tree struct {
> > + vars []string // variables defined at the moment.
> > + treeSet map[string]*Tree
> > + actionLine int // line of left delim starting action
> > ++ rangeDepth int
> > + mode Mode
> > + }
> > +
> > +@@ -223,6 +224,8 @@ func (t *Tree) startParse(funcs
> []map[string]interface{}, lex *lexer, treeSet ma
> > + t.vars = []string{"$"}
> > + t.funcs = funcs
> > + t.treeSet = treeSet
> > ++ lex.breakOK = !t.hasFunction("break")
> > ++ lex.continueOK = !t.hasFunction("continue")
> > + }
> > +
> > + // stopParse terminates parsing.
> > +@@ -385,6 +388,10 @@ func (t *Tree) action() (n Node) {
> > + switch token := t.nextNonSpace(); token.typ {
> > + case itemBlock:
> > + return t.blockControl()
> > ++ case itemBreak:
> > ++ return t.breakControl(token.pos, token.line)
> > ++ case itemContinue:
> > ++ return t.continueControl(token.pos, token.line)
> > + case itemElse:
> > + return t.elseControl()
> > + case itemEnd:
> > +@@ -404,6 +411,32 @@ func (t *Tree) action() (n Node) {
> > + return t.newAction(token.pos, token.line, t.pipeline("command",
> itemRightDelim))
> > + }
> > +
> > ++// Break:
> > ++// {{break}}
> > ++// Break keyword is past.
> > ++func (t *Tree) breakControl(pos Pos, line int) Node {
> > ++ if token := t.next(); token.typ != itemRightDelim {
> > ++ t.unexpected(token, "in {{break}}")
> > ++ }
> > ++ if t.rangeDepth == 0 {
> > ++ t.errorf("{{break}} outside {{range}}")
> > ++ }
> > ++ return t.newBreak(pos, line)
> > ++}
> > ++
> > ++// Continue:
> > ++// {{continue}}
> > ++// Continue keyword is past.
> > ++func (t *Tree) continueControl(pos Pos, line int) Node {
> > ++ if token := t.next(); token.typ != itemRightDelim {
> > ++ t.unexpected(token, "in {{continue}}")
> > ++ }
> > ++ if t.rangeDepth == 0 {
> > ++ t.errorf("{{continue}} outside {{range}}")
> > ++ }
> > ++ return t.newContinue(pos, line)
> > ++}
> > ++
> > + // Pipeline:
> > + // declarations? command ('|' command)*
> > + func (t *Tree) pipeline(context string, end itemType) (pipe *PipeNode)
> {
> > +@@ -479,8 +512,14 @@ func (t *Tree) checkPipeline(pipe *PipeNode,
> context string) {
> > + func (t *Tree) parseControl(allowElseIf bool, context string) (pos
> Pos, line int, pipe *PipeNode, list, elseList *ListNode) {
> > + defer t.popVars(len(t.vars))
> > + pipe = t.pipeline(context, itemRightDelim)
> > ++ if context == "range" {
> > ++ t.rangeDepth++
> > ++ }
> > + var next Node
> > + list, next = t.itemList()
> > ++ if context == "range" {
> > ++ t.rangeDepth--
> > ++ }
> > + switch next.Type() {
> > + case nodeEnd: //done
> > + case nodeElse:
> > +@@ -522,7 +561,8 @@ func (t *Tree) ifControl() Node {
> > + // {{range pipeline}} itemList {{else}} itemList {{end}}
> > + // Range keyword is past.
> > + func (t *Tree) rangeControl() Node {
> > +- return t.newRange(t.parseControl(false, "range"))
> > ++ r := t.newRange(t.parseControl(false, "range"))
> > ++ return r
> > + }
> > +
> > + // With:
> > +diff --git a/src/text/template/parse/parse_test.go
> b/src/text/template/parse/parse_test.go
> > +index 220f984..ba45636 100644
> > +--- a/src/text/template/parse/parse_test.go
> > ++++ b/src/text/template/parse/parse_test.go
> > +@@ -230,6 +230,10 @@ var parseTests = []parseTest{
> > + `{{range $x := .SI}}{{.}}{{end}}`},
> > + {"range 2 vars", "{{range $x, $y := .SI}}{{.}}{{end}}", noError,
> > + `{{range $x, $y := .SI}}{{.}}{{end}}`},
> > ++ {"range with break", "{{range .SI}}{{.}}{{break}}{{end}}",
> noError,
> > ++ `{{range .SI}}{{.}}{{break}}{{end}}`},
> > ++ {"range with continue", "{{range .SI}}{{.}}{{continue}}{{end}}",
> noError,
> > ++ `{{range .SI}}{{.}}{{continue}}{{end}}`},
> > + {"constants", "{{range .SI 1 -3.2i true false 'a' nil}}{{end}}",
> noError,
> > + `{{range .SI 1 -3.2i true false 'a' nil}}{{end}}`},
> > + {"template", "{{template `x`}}", noError,
> > +@@ -279,6 +283,10 @@ var parseTests = []parseTest{
> > + {"adjacent args", "{{printf 3`x`}}", hasError, ""},
> > + {"adjacent args with .", "{{printf `x`.}}", hasError, ""},
> > + {"extra end after if", "{{if .X}}a{{else if
> .Y}}b{{end}}{{end}}", hasError, ""},
> > ++ {"break outside range", "{{range .}}{{end}} {{break}}",
> hasError, ""},
> > ++ {"continue outside range", "{{range .}}{{end}} {{continue}}",
> hasError, ""},
> > ++ {"break in range else", "{{range .}}{{else}}{{break}}{{end}}",
> hasError, ""},
> > ++ {"continue in range else", "{{range
> .}}{{else}}{{continue}}{{end}}", hasError, ""},
> > + // Other kinds of assignments and operators aren't available yet.
> > + {"bug0a", "{{$x := 0}}{{$x}}", noError, "{{$x := 0}}{{$x}}"},
> > + {"bug0b", "{{$x += 1}}{{$x}}", hasError, ""},
> > +--
> > +2.7.4
> > diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-3.patch
> b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538_6.patch
> > similarity index 53%
> > rename from meta/recipes-devtools/go/go-1.14/CVE-2023-24538-3.patch
> > rename to meta/recipes-devtools/go/go-1.14/CVE-2023-24538_6.patch
> > index d5bb33e091..baf400b891 100644
> > --- a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-3.patch
> > +++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538_6.patch
> > @@ -1,7 +1,7 @@
> > From 16f4882984569f179d73967c9eee679bb9b098c5 Mon Sep 17 00:00:00 2001
> > From: Roland Shoemaker <bracewell@google.com>
> > Date: Mon, 20 Mar 2023 11:01:13 -0700
> > -Subject: [PATCH 3/3] html/template: disallow actions in JS template
> literals
> > +Subject: [PATCH 6/6] html/template: disallow actions in JS template
> literals
> >
> > ECMAScript 6 introduced template literals[0][1] which are delimited with
> > backticks. These need to be escaped in a similar fashion to the
> > @@ -52,12 +52,15 @@ CVE: CVE-2023-24538
> > Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
> > ---
> > src/html/template/context.go | 2 ++
> > - src/html/template/error.go | 13 +++++++++++++
> > - src/html/template/escape.go | 11 +++++++++++
> > + src/html/template/error.go | 13 ++++++++
> > + src/html/template/escape.go | 11 +++++++
> > + src/html/template/escape_test.go | 66
> ++++++++++++++++++++++-----------------
> > src/html/template/js.go | 2 ++
> > - src/html/template/jsctx_string.go | 9 +++++++++
> > - src/html/template/transition.go | 7 ++++++-
> > - 6 files changed, 43 insertions(+), 1 deletion(-)
> > + src/html/template/js_test.go | 2 +-
> > + src/html/template/jsctx_string.go | 9 ++++++
> > + src/html/template/state_string.go | 37 ++++++++++++++++++++--
> > + src/html/template/transition.go | 7 ++++-
> > + 9 files changed, 116 insertions(+), 33 deletions(-)
> >
> > diff --git a/src/html/template/context.go b/src/html/template/context.go
> > index f7d4849..0b65313 100644
> > @@ -125,6 +128,104 @@ index f12dafa..29ca5b3 100644
> > case stateJSRegexp:
> > s = append(s, "_html_template_jsregexpescaper")
> > case stateCSS:
> > +diff --git a/src/html/template/escape_test.go
> b/src/html/template/escape_test.go
> > +index fa2b84a..1b150e9 100644
> > +--- a/src/html/template/escape_test.go
> > ++++ b/src/html/template/escape_test.go
> > +@@ -681,35 +681,31 @@ func TestEscape(t *testing.T) {
> > + }
> > +
> > + for _, test := range tests {
> > +- tmpl := New(test.name)
> > +- tmpl = Must(tmpl.Parse(test.input))
> > +- // Check for bug 6459: Tree field was not set in Parse.
> > +- if tmpl.Tree != tmpl.text.Tree {
> > +- t.Errorf("%s: tree not set properly", test.name)
> > +- continue
> > +- }
> > +- b := new(bytes.Buffer)
> > +- if err := tmpl.Execute(b, data); err != nil {
> > +- t.Errorf("%s: template execution failed: %s",
> test.name, err)
> > +- continue
> > +- }
> > +- if w, g := test.output, b.String(); w != g {
> > +- t.Errorf("%s: escaped output:
> want\n\t%q\ngot\n\t%q", test.name, w, g)
> > +- continue
> > +- }
> > +- b.Reset()
> > +- if err := tmpl.Execute(b, pdata); err != nil {
> > +- t.Errorf("%s: template execution failed for
> pointer: %s", test.name, err)
> > +- continue
> > +- }
> > +- if w, g := test.output, b.String(); w != g {
> > +- t.Errorf("%s: escaped output for pointer:
> want\n\t%q\ngot\n\t%q", test.name, w, g)
> > +- continue
> > +- }
> > +- if tmpl.Tree != tmpl.text.Tree {
> > +- t.Errorf("%s: tree mismatch", test.name)
> > +- continue
> > +- }
> > ++ t.Run(test.name, func(t *testing.T) {
> > ++ tmpl := New(test.name)
> > ++ tmpl = Must(tmpl.Parse(test.input))
> > ++ // Check for bug 6459: Tree field was not set in
> Parse.
> > ++ if tmpl.Tree != tmpl.text.Tree {
> > ++ t.Fatalf("%s: tree not set properly",
> test.name)
> > ++ }
> > ++ b := new(strings.Builder)
> > ++ if err := tmpl.Execute(b, data); err != nil {
> > ++ t.Fatalf("%s: template execution failed:
> %s", test.name, err)
> > ++ }
> > ++ if w, g := test.output, b.String(); w != g {
> > ++ t.Fatalf("%s: escaped output:
> want\n\t%q\ngot\n\t%q", test.name, w, g)
> > ++ }
> > ++ b.Reset()
> > ++ if err := tmpl.Execute(b, pdata); err != nil {
> > ++ t.Fatalf("%s: template execution failed
> for pointer: %s", test.name, err)
> > ++ }
> > ++ if w, g := test.output, b.String(); w != g {
> > ++ t.Fatalf("%s: escaped output for
> pointer: want\n\t%q\ngot\n\t%q", test.name, w, g)
> > ++ }
> > ++ if tmpl.Tree != tmpl.text.Tree {
> > ++ t.Fatalf("%s: tree mismatch", test.name)
> > ++ }
> > ++ })
> > + }
> > + }
> > +
> > +@@ -936,6 +932,10 @@ func TestErrors(t *testing.T) {
> > + "{{range .Items}}<a{{if .X}}{{end}}>{{if
> .X}}{{break}}{{end}}{{end}}",
> > + "",
> > + },
> > ++ {
> > ++ "<script>var a = `${a+b}`</script>`",
> > ++ "",
> > ++ },
> > + // Error cases.
> > + {
> > + "{{if .Cond}}<a{{end}}",
> > +@@ -1082,6 +1082,10 @@ func TestErrors(t *testing.T) {
> > + // html is allowed since it is the last command
> in the pipeline, but urlquery is not.
> > + `predefined escaper "urlquery" disallowed in
> template`,
> > + },
> > ++ {
> > ++ "<script>var tmpl = `asd {{.}}`;</script>",
> > ++ `{{.}} appears in a JS template literal`,
> > ++ },
> > + }
> > + for _, test := range tests {
> > + buf := new(bytes.Buffer)
> > +@@ -1304,6 +1308,10 @@ func TestEscapeText(t *testing.T) {
> > + context{state: stateJSSqStr, delim:
> delimDoubleQuote, attr: attrScript},
> > + },
> > + {
> > ++ "<a onclick=\"`foo",
> > ++ context{state: stateJSBqStr, delim:
> delimDoubleQuote, attr: attrScript},
> > ++ },
> > ++ {
> > + `<A ONCLICK="'`,
> > + context{state: stateJSSqStr, delim:
> delimDoubleQuote, attr: attrScript},
> > + },
> > diff --git a/src/html/template/js.go b/src/html/template/js.go
> > index ea9c183..b888eaf 100644
> > --- a/src/html/template/js.go
> > @@ -145,6 +246,19 @@ index ea9c183..b888eaf 100644
> > '+': `\u002b`,
> > '/': `\/`,
> > '<': `\u003c`,
> > +diff --git a/src/html/template/js_test.go b/src/html/template/js_test.go
> > +index d7ee47b..7d963ae 100644
> > +--- a/src/html/template/js_test.go
> > ++++ b/src/html/template/js_test.go
> > +@@ -292,7 +292,7 @@ func TestEscapersOnLower7AndSelectHighCodepoints(t
> *testing.T) {
> > + `0123456789:;\u003c=\u003e?` +
> > + `@ABCDEFGHIJKLMNO` +
> > + `PQRSTUVWXYZ[\\]^_` +
> > +- "`abcdefghijklmno" +
> > ++ "\\u0060abcdefghijklmno" +
> > + "pqrstuvwxyz{|}~\u007f" +
> > +
> "\u00A0\u0100\\u2028\\u2029\ufeff\U0001D11E",
> > + },
> > diff --git a/src/html/template/jsctx_string.go
> b/src/html/template/jsctx_string.go
> > index dd1d87e..2394893 100644
> > --- a/src/html/template/jsctx_string.go
> > @@ -165,6 +279,55 @@ index dd1d87e..2394893 100644
> > const _jsCtx_name = "jsCtxRegexpjsCtxDivOpjsCtxUnknown"
> >
> > var _jsCtx_index = [...]uint8{0, 11, 21, 33}
> > +diff --git a/src/html/template/state_string.go
> b/src/html/template/state_string.go
> > +index 05104be..6fb1a6e 100644
> > +--- a/src/html/template/state_string.go
> > ++++ b/src/html/template/state_string.go
> > +@@ -4,9 +4,42 @@ package template
> > +
> > + import "strconv"
> > +
> > +-const _state_name =
> "stateTextstateTagstateAttrNamestateAfterNamestateBeforeValuestateHTMLCmtstateRCDATA \
> stateAttrstateURLstateSrcsetstateJSstateJSDqStrstateJSSqStrstateJSRegexpstateJSBlock \
> CmtstateJSLineCmtstateCSSstateCSSDqStrstateCSSSqStrstateCSSDqURLstateCSSSqURLstateCSSURLstateCSSBlockCmtstateCSSLineCmtstateError"
>
> > ++func _() {
> > ++ // An "invalid array index" compiler error signifies that the
> constant values have changed.
> > ++ // Re-run the stringer command to generate them again.
> > ++ var x [1]struct{}
> > ++ _ = x[stateText-0]
> > ++ _ = x[stateTag-1]
> > ++ _ = x[stateAttrName-2]
> > ++ _ = x[stateAfterName-3]
> > ++ _ = x[stateBeforeValue-4]
> > ++ _ = x[stateHTMLCmt-5]
> > ++ _ = x[stateRCDATA-6]
> > ++ _ = x[stateAttr-7]
> > ++ _ = x[stateURL-8]
> > ++ _ = x[stateSrcset-9]
> > ++ _ = x[stateJS-10]
> > ++ _ = x[stateJSDqStr-11]
> > ++ _ = x[stateJSSqStr-12]
> > ++ _ = x[stateJSBqStr-13]
> > ++ _ = x[stateJSRegexp-14]
> > ++ _ = x[stateJSBlockCmt-15]
> > ++ _ = x[stateJSLineCmt-16]
> > ++ _ = x[stateCSS-17]
> > ++ _ = x[stateCSSDqStr-18]
> > ++ _ = x[stateCSSSqStr-19]
> > ++ _ = x[stateCSSDqURL-20]
> > ++ _ = x[stateCSSSqURL-21]
> > ++ _ = x[stateCSSURL-22]
> > ++ _ = x[stateCSSBlockCmt-23]
> > ++ _ = x[stateCSSLineCmt-24]
> > ++ _ = x[stateError-25]
> > ++ _ = x[stateDead-26]
> > ++}
> > ++
> > ++const _state_name =
> "stateTextstateTagstateAttrNamestateAfterNamestateBeforeValuestateHTMLCmtstateRCDATA \
> stateAttrstateURLstateSrcsetstateJSstateJSDqStrstateJSSqStrstateJSBqStrstateJSRegexp \
> stateJSBlockCmtstateJSLineCmtstateCSSstateCSSDqStrstateCSSSqStrstateCSSDqURLstateCSSSqURLstateCSSURLstateCSSBlockCmtstateCSSLineCmtstateErrorstateDead"
>
> > +
> > +-var _state_index = [...]uint16{0, 9, 17, 30, 44, 60, 72, 83, 92, 100,
> 111, 118, 130, 142, 155, 170, 184, 192, 205, 218, 231, 244, 255, 271, 286,
> 296}
> > ++var _state_index = [...]uint16{0, 9, 17, 30, 44, 60, 72, 83, 92, 100,
> 111, 118, 130, 142, 154, 167, 182, 196, 204, 217, 230, 243, 256, 267, 283,
> 298, 308, 317}
> > +
> > + func (i state) String() string {
> > + if i >= state(len(_state_index)-1) {
> > diff --git a/src/html/template/transition.go
> b/src/html/template/transition.go
> > index 06df679..92eb351 100644
> > --- a/src/html/template/transition.go
> > diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-39318.patch
> b/meta/recipes-devtools/go/go-1.14/CVE-2023-39318.patch
> > index 20e70c0485..00def8fcda 100644
> > --- a/meta/recipes-devtools/go/go-1.14/CVE-2023-39318.patch
> > +++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-39318.patch
> > @@ -34,9 +34,9 @@ Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
> > src/html/template/context.go | 6 ++-
> > src/html/template/escape.go | 5 +-
> > src/html/template/escape_test.go | 10 ++++
> > - src/html/template/state_string.go | 4 +-
> > + src/html/template/state_string.go | 26 +++++-----
> > src/html/template/transition.go | 80 ++++++++++++++++++++-----------
> > - 5 files changed, 72 insertions(+), 33 deletions(-)
> > + 5 files changed, 84 insertions(+), 43 deletions(-)
> >
> > diff --git a/src/html/template/context.go b/src/html/template/context.go
> > index 0b65313..4eb7891 100644
> > @@ -105,14 +105,38 @@ diff --git a/src/html/template/state_string.go
> b/src/html/template/state_string.
> > index 05104be..b5cfe70 100644
> > --- a/src/html/template/state_string.go
> > +++ b/src/html/template/state_string.go
> > -@@ -4,9 +4,9 @@ package template
> > -
> > - import "strconv"
> > +@@ -25,21 +25,23 @@ func _() {
> > + _ = x[stateJSRegexp-14]
> > + _ = x[stateJSBlockCmt-15]
> > + _ = x[stateJSLineCmt-16]
> > +- _ = x[stateCSS-17]
> > +- _ = x[stateCSSDqStr-18]
> > +- _ = x[stateCSSSqStr-19]
> > +- _ = x[stateCSSDqURL-20]
> > +- _ = x[stateCSSSqURL-21]
> > +- _ = x[stateCSSURL-22]
> > +- _ = x[stateCSSBlockCmt-23]
> > +- _ = x[stateCSSLineCmt-24]
> > +- _ = x[stateError-25]
> > +- _ = x[stateDead-26]
> > ++ _ = x[stateJSHTMLOpenCmt-17]
> > ++ _ = x[stateJSHTMLCloseCmt-18]
> > ++ _ = x[stateCSS-19]
> > ++ _ = x[stateCSSDqStr-20]
> > ++ _ = x[stateCSSSqStr-21]
> > ++ _ = x[stateCSSDqURL-22]
> > ++ _ = x[stateCSSSqURL-23]
> > ++ _ = x[stateCSSURL-24]
> > ++ _ = x[stateCSSBlockCmt-25]
> > ++ _ = x[stateCSSLineCmt-26]
> > ++ _ = x[stateError-27]
> > ++ _ = x[stateDead-28]
> > + }
> >
> > --const _state_name =
> "stateTextstateTagstateAttrNamestateAfterNamestateBeforeValuestateHTMLCmtstateRCDATA \
> stateAttrstateURLstateSrcsetstateJSstateJSDqStrstateJSSqStrstateJSRegexpstateJSBlock \
> CmtstateJSLineCmtstateCSSstateCSSDqStrstateCSSSqStrstateCSSDqURLstateCSSSqURLstateCSSURLstateCSSBlockCmtstateCSSLineCmtstateError"
>
> > +-const _state_name =
> "stateTextstateTagstateAttrNamestateAfterNamestateBeforeValuestateHTMLCmtstateRCDATA \
> stateAttrstateURLstateSrcsetstateJSstateJSDqStrstateJSSqStrstateJSBqStrstateJSRegexp \
> stateJSBlockCmtstateJSLineCmtstateCSSstateCSSDqStrstateCSSSqStrstateCSSDqURLstateCSSSqURLstateCSSURLstateCSSBlockCmtstateCSSLineCmtstateErrorstateDead"
>
> > +const _state_name =
> "stateTextstateTagstateAttrNamestateAfterNamestateBeforeValuestateHTMLCmtstateRCDATA \
> stateAttrstateURLstateSrcsetstateJSstateJSDqStrstateJSSqStrstateJSBqStrstateJSRegexp \
> stateJSBlockCmtstateJSLineCmtstateJSHTMLOpenCmtstateJSHTMLCloseCmtstateCSSstateCSSDq \
> StrstateCSSSqStrstateCSSDqURLstateCSSSqURLstateCSSURLstateCSSBlockCmtstateCSSLineCmtstateErrorstateDead"
>
> >
> > --var _state_index = [...]uint16{0, 9, 17, 30, 44, 60, 72, 83, 92, 100,
> 111, 118, 130, 142, 155, 170, 184, 192, 205, 218, 231, 244, 255, 271, 286,
> 296}
> > +-var _state_index = [...]uint16{0, 9, 17, 30, 44, 60, 72, 83, 92, 100,
> 111, 118, 130, 142, 154, 167, 182, 196, 204, 217, 230, 243, 256, 267, 283,
> 298, 308, 317}
> > +var _state_index = [...]uint16{0, 9, 17, 30, 44, 60, 72, 83, 92, 100,
> 111, 118, 130, 142, 154, 167, 182, 196, 214, 233, 241, 254, 267, 280, 293,
> 304, 320, 335, 345, 354}
> >
> > func (i state) String() string {
> > --
> > 2.42.0
> >
> >
> >
> >
>
[Attachment #5 (text/html)]
<div dir="ltr">Apologies Steve,<div><br></div><div>I will look into the issue and \
send a new patch for Dunfell. It worked for me on my machine. Maybe something I \
missed.</div><div><br></div><div>Thanks,</div><div>Shubham \
Kulkarni</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On \
Sat, Sep 30, 2023 at 8:02 AM Steve Sakoman <<a \
href="mailto:steve@sakoman.com">steve@sakoman.com</a>> wrote:<br></div><blockquote \
class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex">Sorry, this patch doesn't apply:<br> <br>
Applying: go: Update fix for CVE-2023-24538 & CVE-2023-39318<br>
error: corrupt patch at line 478<br>
error: could not build fake ancestor<br>
Patch failed at 0001 go: Update fix for CVE-2023-24538 & CVE-2023-39318<br>
<br>
Steve<br>
<br>
On Fri, Sep 29, 2023 at 9:21 AM Shubham Kulkarni via<br>
<a href="http://lists.openembedded.org" rel="noreferrer" \
target="_blank">lists.openembedded.org</a> <skulkarni=<a \
href="mailto:mvista.com@lists.openembedded.org" \
target="_blank">mvista.com@lists.openembedded.org</a>><br> wrote:<br>
><br>
> From: Shubham Kulkarni <<a href="mailto:skulkarni@mvista.com" \
target="_blank">skulkarni@mvista.com</a>><br> ><br>
> Add missing files in fix for CVE-2023-24538 & CVE-2023-39318<br>
><br>
> Upstream Link -<br>
> CVE-2023-24538: <a \
href="https://github.com/golang/go/commit/b1e3ecfa06b67014429a197ec5e134ce4303ad9b" \
rel="noreferrer" target="_blank">https://github.com/golang/go/commit/b1e3ecfa06b67014429a197ec5e134ce4303ad9b</a><br>
> CVE-2023-39318: <a \
href="https://github.com/golang/go/commit/023b542edf38e2a1f87fcefb9f75ff2f99401b4c" \
rel="noreferrer" target="_blank">https://github.com/golang/go/commit/023b542edf38e2a1f87fcefb9f75ff2f99401b4c</a><br>
><br>
> Signed-off-by: Shubham Kulkarni <<a href="mailto:skulkarni@mvista.com" \
target="_blank">skulkarni@mvista.com</a>><br> > ---<br>
> meta/recipes-devtools/go/go-1.14.inc | 5 +-<br>
> .../go/go-1.14/CVE-2023-24538-1.patch | 4 +-<br>
> .../go/go-1.14/CVE-2023-24538-2.patch | 447 ++++++++++++-<br>
> .../go/go-1.14/CVE-2023-24538_3.patch | 393 ++++++++++++<br>
> .../go/go-1.14/CVE-2023-24538_4.patch | 497 +++++++++++++++<br>
> .../go/go-1.14/CVE-2023-24538_5.patch | 585 \
++++++++++++++++++<br> > ...3-24538-3.patch => CVE-2023-24538_6.patch} | 175 \
+++++-<br> > .../go/go-1.14/CVE-2023-39318.patch | 38 +-<br>
> 8 files changed, 2124 insertions(+), 20 deletions(-)<br>
> create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-24538_3.patch<br>
> create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-24538_4.patch<br>
> create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-24538_5.patch<br>
> rename meta/recipes-devtools/go/go-1.14/{CVE-2023-24538-3.patch => \
CVE-2023-24538_6.patch} (53%)<br> ><br>
> diff --git a/meta/recipes-devtools/go/go-1.14.inc \
b/meta/recipes-devtools/go/go-1.14.inc<br> > index be63f64825..091b778de8 \
100644<br> > --- a/meta/recipes-devtools/go/go-1.14.inc<br>
> +++ b/meta/recipes-devtools/go/go-1.14.inc<br>
> @@ -60,7 +60,10 @@ SRC_URI += "\<br>
> file://CVE-2023-24534.patch \<br>
> file://CVE-2023-24538-1.patch \<br>
> file://CVE-2023-24538-2.patch \<br>
> - file://CVE-2023-24538-3.patch \<br>
> + file://CVE-2023-24538_3.patch \<br>
> + file://CVE-2023-24538_4.patch \<br>
> + file://CVE-2023-24538_5.patch \<br>
> + file://CVE-2023-24538_6.patch \<br>
> file://CVE-2023-24539.patch \<br>
> file://CVE-2023-24540.patch \<br>
> file://CVE-2023-29405-1.patch \<br>
> diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-1.patch \
b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-1.patch<br> > index \
eda26e5ff6..23c5075e41 100644<br> > --- \
a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-1.patch<br> > +++ \
b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-1.patch<br> > @@ -1,7 +1,7 \
@@<br> > From 8acd01094d9ee17f6e763a61e49a8a808b3a9ddb Mon Sep 17 00:00:00 \
2001<br> > From: Brad Fitzpatrick <<a href="mailto:bradfitz@golang.org" \
target="_blank">bradfitz@golang.org</a>><br> > Date: Mon, 2 Aug 2021 14:55:51 \
-0700<br> > -Subject: [PATCH 1/3] net/netip: add new IP address package<br>
> +Subject: [PATCH 1/6] net/netip: add new IP address package<br>
><br>
> Co-authored-by: Alex Willmer <<a href="mailto:alex@moreati.org.uk" \
target="_blank">alex@moreati.org.uk</a>> (GitHub @moreati)<br> > \
Co-authored-by: Alexander Yastrebov <<a href="mailto:yastrebov.alex@gmail.com" \
target="_blank">yastrebov.alex@gmail.com</a>><br> > @@ -31,7 +31,7 @@ Trust: \
Brad Fitzpatrick <<a href="mailto:bradfitz@golang.org" \
target="_blank">bradfitz@golang.org</a>><br> ><br>
> Dependency Patch #1<br>
><br>
> -Upstream-Status: Backport [<a \
href="https://github.com/golang/go/commit/a59e33224e42d60a97fa720a45e1b74eb6aaa3d0" \
rel="noreferrer" target="_blank">https://github.com/golang/go/commit/a59e33224e42d60a97fa720a45e1b74eb6aaa3d0</a>]<br>
> +Upstream-Status: Backport from <a \
href="https://github.com/golang/go/commit/a59e33224e42d60a97fa720a45e1b74eb6aaa3d0" \
rel="noreferrer" target="_blank">https://github.com/golang/go/commit/a59e33224e42d60a97fa720a45e1b74eb6aaa3d0</a><br>
> CVE: CVE-2023-24538<br>
> Signed-off-by: Shubham Kulkarni <<a href="mailto:skulkarni@mvista.com" \
target="_blank">skulkarni@mvista.com</a>><br> > ---<br>
> diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch \
b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch<br> > index \
5036f2890b..3840617a32 100644<br> > --- \
a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch<br> > +++ \
b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch<br> > @@ -1,7 +1,7 \
@@<br> > From 6fc21505614f36178df0dad7034b6b8e3f7588d5 Mon Sep 17 00:00:00 \
2001<br> > From: empijei <<a href="mailto:robclap8@gmail.com" \
target="_blank">robclap8@gmail.com</a>><br> > Date: Fri, 27 Mar 2020 19:27:55 \
+0100<br> > -Subject: [PATCH 2/3] html/template,text/template: switch to Unicode \
escapes<br> > +Subject: [PATCH 2/6] html/template,text/template: switch to Unicode \
escapes<br> > for JSON compatibility<br>
> MIME-Version: 1.0<br>
> Content-Type: text/plain; charset=UTF-8<br>
> @@ -31,10 +31,238 @@ Upstream-Status: Backport from <a \
href="https://github.com/golang/go/commit/d4d298040d072" rel="noreferrer" \
target="_blank">https://github.com/golang/go/commit/d4d298040d072</a><br> > CVE: \
CVE-2023-24538<br> > Signed-off-by: Shubham Kulkarni <<a \
href="mailto:skulkarni@mvista.com" target="_blank">skulkarni@mvista.com</a>><br> \
> ---<br> > - src/html/template/js.go | 70 \
+++++++++++++++++++++++++++-------------------<br> > - src/text/template/funcs.go \
| 8 +++---<br> > - 2 files changed, 46 insertions(+), 32 deletions(-)<br>
> + src/html/template/content_test.go | 70 \
+++++++++++++++++++-------------------<br> > + src/html/template/escape_test.go \
| 6 ++--<br> > + src/html/template/example_test.go | 6 ++--<br>
> + src/html/template/js.go | 70 \
+++++++++++++++++++++++---------------<br> > + src/html/template/js_test.go \
| 68 ++++++++++++++++++------------------<br> > + \
src/html/template/template_test.go | 39 +++++++++++++++++++++<br> > + \
src/text/template/exec_test.go | 6 ++--<br> > + \
src/text/template/funcs.go | 8 ++---<br> > + 8 files changed, 163 \
insertions(+), 110 deletions(-)<br> ><br>
> +diff --git a/src/html/template/content_test.go \
b/src/html/template/content_test.go<br> > +index 72d56f5..bd86527 100644<br>
> +--- a/src/html/template/content_test.go<br>
> ++++ b/src/html/template/content_test.go<br>
> +@@ -18,7 +18,7 @@ func TestTypedContent(t *testing.T) {<br>
> + HTML(`Hello, <b>World</b> \
&amp;tc!`),<br> > + HTMLAttr(` \
dir="ltr"`),<br> > + JS(`c && \
alert("Hello, World!");`),<br> > +- JSStr(`Hello, \
World & O'Reilly\x21`),<br> > ++ JSStr(`Hello, World \
& O'Reilly\u0021`),<br> > + \
URL(`greeting=H%69,&addressee=(World)`),<br> > + \
Srcset(`greeting=H%69,&addressee=(World) 2x, <a \
href="https://golang.org/favicon.ico" rel="noreferrer" \
target="_blank">https://golang.org/favicon.ico</a> 500.5w`),<br> > + \
URL(`,foo/,`),<br> > +@@ -70,7 +70,7 @@ func TestTypedContent(t *testing.T) {<br>
> + `Hello, <b>World</b> \
&amp;tc!`,<br> > + ` \
dir=&#34;ltr&#34;`,<br> > + \
`c &amp;&amp; alert(&#34;Hello, World!&#34;);`,<br> > +- \
`Hello, World &amp; O&#39;Reilly\x21`,<br> > ++ \
`Hello, World &amp; O&#39;Reilly\u0021`,<br> > + \
`greeting=H%69,&amp;addressee=(World)`,<br> > + \
`greeting=H%69,&amp;addressee=(World) 2x, <a \
href="https://golang.org/favicon.ico" rel="noreferrer" \
target="_blank">https://golang.org/favicon.ico</a> 500.5w`,<br> > + \
`,foo/,`,<br> > +@@ -100,7 +100,7 @@ func TestTypedContent(t *testing.T) {<br>
> + \
`Hello,&#32;World&#32;&amp;tc!`,<br> > + \
`&#32;dir&#61;&#34;ltr&#34;`,<br> > + \
`c&#32;&amp;&amp;&#32;alert(&#34;Hello,&#32;World!&#34;);`,<br>
> +- \
`Hello,&#32;World&#32;&amp;&#32;O&#39;Reilly\x21`,<br> > ++ \
`Hello,&#32;World&#32;&amp;&#32;O&#39;Reilly\u0021`,<br> > + \
`greeting&#61;H%69,&amp;addressee&#61;(World)`,<br> > + \
`greeting&#61;H%69,&amp;addressee&#61;(World)&#32;2x,&#32;<a \
href="https://golang.org/favicon.ico&#32;500.5w" rel="noreferrer" \
target="_blank">https://golang.org/favicon.ico&#32;500.5w`</a>,<br> > + \
`,foo/,`,<br> > +@@ -115,7 +115,7 @@ func TestTypedContent(t *testing.T) {<br>
> + `Hello, World &amp;tc!`,<br>
> + ` \
dir=&#34;ltr&#34;`,<br> > + \
`c &amp;&amp; alert(&#34;Hello, World!&#34;);`,<br> > +- \
`Hello, World &amp; O&#39;Reilly\x21`,<br> > ++ \
`Hello, World &amp; O&#39;Reilly\u0021`,<br> > + \
`greeting=H%69,&amp;addressee=(World)`,<br> > + \
`greeting=H%69,&amp;addressee=(World) 2x, <a \
href="https://golang.org/favicon.ico" rel="noreferrer" \
target="_blank">https://golang.org/favicon.ico</a> 500.5w`,<br> > + \
`,foo/,`,<br> > +@@ -130,7 +130,7 @@ func TestTypedContent(t *testing.T) {<br>
> + `Hello, \
&lt;b&gt;World&lt;/b&gt; &amp;tc!`,<br> > + \
` dir=&#34;ltr&#34;`,<br> > + \
`c &amp;&amp; alert(&#34;Hello, World!&#34;);`,<br> > +- \
`Hello, World &amp; O&#39;Reilly\x21`,<br> > ++ \
`Hello, World &amp; O&#39;Reilly\u0021`,<br> > + \
`greeting=H%69,&amp;addressee=(World)`,<br> > + \
`greeting=H%69,&amp;addressee=(World) 2x, <a \
href="https://golang.org/favicon.ico" rel="noreferrer" \
target="_blank">https://golang.org/favicon.ico</a> 500.5w`,<br> > + \
`,foo/,`,<br> > +@@ -146,7 +146,7 @@ func TestTypedContent(t *testing.T) {<br>
> + // Not escaped.<br>
> + `c && alert("Hello, \
World!");`,<br> > + // Escape \
sequence not over-escaped.<br> > +- \
`"Hello, World & O'Reilly\x21"`,<br> > ++ \
`"Hello, World & O'Reilly\u0021"`,<br> > + \
`"greeting=H%69,\u0026addressee=(World)"`,<br> > + \
`"greeting=H%69,\u0026addressee=(World) 2x, <a \
href="https://golang.org/favicon.ico" rel="noreferrer" \
target="_blank">https://golang.org/favicon.ico</a> 500.5w"`,<br> > + \
`",foo/,"`,<br> > +@@ -162,7 +162,7 @@ func TestTypedContent(t \
*testing.T) {<br> > + // Not JS \
escaped but HTML escaped.<br> > + `c \
&amp;&amp; alert(&#34;Hello, World!&#34;);`,<br> > + \
// Escape sequence not over-escaped.<br> > +- \
`&#34;Hello, World &amp; O&#39;Reilly\x21&#34;`,<br> > ++ \
`&#34;Hello, World &amp; O&#39;Reilly\u0021&#34;`,<br> > + \
`&#34;greeting=H%69,\u0026addressee=(World)&#34;`,<br> > + \
`&#34;greeting=H%69,\u0026addressee=(World) 2x, <a \
href="https://golang.org/favicon.ico" rel="noreferrer" \
target="_blank">https://golang.org/favicon.ico</a> 500.5w&#34;`,<br> > + \
`&#34;,foo/,&#34;`,<br> > +@@ -171,30 +171,30 @@ func TestTypedContent(t \
*testing.T) {<br> > + {<br>
> + \
`<script>alert("{{.}}")</script>`,<br> > + \
[]string{<br> > +- `\x3cb\x3e \
\x22foo%\x22 O\x27Reilly \x26bar;`,<br> > +- \
`a[href =~ \x22\/\/<a href="http://example.com" rel="noreferrer" \
target="_blank">example.com</a>\x22]#foo`,<br> > +- \
`Hello, \x3cb\x3eWorld\x3c\/b\x3e \x26amp;tc!`,<br> > +- \
` dir=\x22ltr\x22`,<br> > +- `c \
\x26\x26 alert(\x22Hello, World!\x22);`,<br> > ++ \
`\u003cb\u003e \u0022foo%\u0022 O\u0027Reilly \u0026bar;`,<br> > ++ \
`a[href =~ \u0022\/\/<a href="http://example.com" rel="noreferrer" \
target="_blank">example.com</a>\u0022]#foo`,<br> > ++ \
`Hello, \u003cb\u003eWorld\u003c\/b\u003e \u0026amp;tc!`,<br> > ++ \
` dir=\u0022ltr\u0022`,<br> > ++ `c \
\u0026\u0026 alert(\u0022Hello, World!\u0022);`,<br> > + \
// Escape sequence not over-escaped.<br> > +- \
`Hello, World \x26 O\x27Reilly\x21`,<br> > +- \
`greeting=H%69,\x26addressee=(World)`,<br> > +- \
`greeting=H%69,\x26addressee=(World) 2x, https:\/\/<a href="http://golang.org" \
rel="noreferrer" target="_blank">golang.org</a>\/favicon.ico 500.5w`,<br> > ++ \
`Hello, World \u0026 O\u0027Reilly\u0021`,<br> > ++ \
`greeting=H%69,\u0026addressee=(World)`,<br> > ++ \
`greeting=H%69,\u0026addressee=(World) 2x, https:\/\/<a href="http://golang.org" \
rel="noreferrer" target="_blank">golang.org</a>\/favicon.ico 500.5w`,<br> > + \
`,foo\/,`,<br> > + },<br>
> + },<br>
> + {<br>
> + `<script \
type="text/javascript">alert("{{.}}")</script>`,<br> \
> + []string{<br> > +- \
`\x3cb\x3e \x22foo%\x22 O\x27Reilly \x26bar;`,<br> > +- \
`a[href =~ \x22\/\/<a href="http://example.com" rel="noreferrer" \
target="_blank">example.com</a>\x22]#foo`,<br> > +- \
`Hello, \x3cb\x3eWorld\x3c\/b\x3e \x26amp;tc!`,<br> > +- \
` dir=\x22ltr\x22`,<br> > +- `c \
\x26\x26 alert(\x22Hello, World!\x22);`,<br> > ++ \
`\u003cb\u003e \u0022foo%\u0022 O\u0027Reilly \u0026bar;`,<br> > ++ \
`a[href =~ \u0022\/\/<a href="http://example.com" rel="noreferrer" \
target="_blank">example.com</a>\u0022]#foo`,<br> > ++ \
`Hello, \u003cb\u003eWorld\u003c\/b\u003e \u0026amp;tc!`,<br> > ++ \
` dir=\u0022ltr\u0022`,<br> > ++ `c \
\u0026\u0026 alert(\u0022Hello, World!\u0022);`,<br> > + \
// Escape sequence not over-escaped.<br> > +- \
`Hello, World \x26 O\x27Reilly\x21`,<br> > +- \
`greeting=H%69,\x26addressee=(World)`,<br> > +- \
`greeting=H%69,\x26addressee=(World) 2x, https:\/\/<a href="http://golang.org" \
rel="noreferrer" target="_blank">golang.org</a>\/favicon.ico 500.5w`,<br> > ++ \
`Hello, World \u0026 O\u0027Reilly\u0021`,<br> > ++ \
`greeting=H%69,\u0026addressee=(World)`,<br> > ++ \
`greeting=H%69,\u0026addressee=(World) 2x, https:\/\/<a href="http://golang.org" \
rel="noreferrer" target="_blank">golang.org</a>\/favicon.ico 500.5w`,<br> > + \
`,foo\/,`,<br> > + },<br>
> + },<br>
> +@@ -208,7 +208,7 @@ func TestTypedContent(t *testing.T) {<br>
> + // Not escaped.<br>
> + `c && alert("Hello, \
World!");`,<br> > + // Escape \
sequence not over-escaped.<br> > +- \
`"Hello, World & O'Reilly\x21"`,<br> > ++ \
`"Hello, World & O'Reilly\u0021"`,<br> > + \
`"greeting=H%69,\u0026addressee=(World)"`,<br> > + \
`"greeting=H%69,\u0026addressee=(World) 2x, <a \
href="https://golang.org/favicon.ico" rel="noreferrer" \
target="_blank">https://golang.org/favicon.ico</a> 500.5w"`,<br> > + \
`",foo/,"`,<br> > +@@ -224,7 +224,7 @@ func TestTypedContent(t \
*testing.T) {<br> > + `Hello, \
<b>World</b> &amp;tc!`,<br> > + \
` dir=&#34;ltr&#34;`,<br> > + \
`c &amp;&amp; alert(&#34;Hello, World!&#34;);`,<br> > +- \
`Hello, World &amp; O&#39;Reilly\x21`,<br> > ++ \
`Hello, World &amp; O&#39;Reilly\u0021`,<br> > + \
`greeting=H%69,&amp;addressee=(World)`,<br> > + \
`greeting=H%69,&amp;addressee=(World) 2x, <a \
href="https://golang.org/favicon.ico" rel="noreferrer" \
target="_blank">https://golang.org/favicon.ico</a> 500.5w`,<br> > + \
`,foo/,`,<br> > +@@ -233,15 +233,15 @@ func TestTypedContent(t *testing.T) {<br>
> + {<br>
> + `<button \
onclick='alert("{{.}}")'>`,<br> > + \
[]string{<br> > +- `\x3cb\x3e \
\x22foo%\x22 O\x27Reilly \x26bar;`,<br> > +- \
`a[href =~ \x22\/\/<a href="http://example.com" rel="noreferrer" \
target="_blank">example.com</a>\x22]#foo`,<br> > +- \
`Hello, \x3cb\x3eWorld\x3c\/b\x3e \x26amp;tc!`,<br> > +- \
` dir=\x22ltr\x22`,<br> > +- `c \
\x26\x26 alert(\x22Hello, World!\x22);`,<br> > ++ \
`\u003cb\u003e \u0022foo%\u0022 O\u0027Reilly \u0026bar;`,<br> > ++ \
`a[href =~ \u0022\/\/<a href="http://example.com" rel="noreferrer" \
target="_blank">example.com</a>\u0022]#foo`,<br> > ++ \
`Hello, \u003cb\u003eWorld\u003c\/b\u003e \u0026amp;tc!`,<br> > ++ \
` dir=\u0022ltr\u0022`,<br> > ++ `c \
\u0026\u0026 alert(\u0022Hello, World!\u0022);`,<br> > + \
// Escape sequence not over-escaped.<br> > +- \
`Hello, World \x26 O\x27Reilly\x21`,<br> > +- \
`greeting=H%69,\x26addressee=(World)`,<br> > +- \
`greeting=H%69,\x26addressee=(World) 2x, https:\/\/<a href="http://golang.org" \
rel="noreferrer" target="_blank">golang.org</a>\/favicon.ico 500.5w`,<br> > ++ \
`Hello, World \u0026 O\u0027Reilly\u0021`,<br> > ++ \
`greeting=H%69,\u0026addressee=(World)`,<br> > ++ \
`greeting=H%69,\u0026addressee=(World) 2x, https:\/\/<a href="http://golang.org" \
rel="noreferrer" target="_blank">golang.org</a>\/favicon.ico 500.5w`,<br> > + \
`,foo\/,`,<br> > + },<br>
> + },<br>
> +@@ -253,7 +253,7 @@ func TestTypedContent(t *testing.T) {<br>
> + \
`Hello%2c%20%3cb%3eWorld%3c%2fb%3e%20%26amp%3btc%21`,<br> > + \
`%20dir%3d%22ltr%22`,<br> > + \
`c%20%26%26%20alert%28%22Hello%2c%20World%21%22%29%3b`,<br> > +- \
`Hello%2c%20World%20%26%20O%27Reilly%5cx21`,<br> > ++ \
`Hello%2c%20World%20%26%20O%27Reilly%5cu0021`,<br> > + \
// Quotes and parens are escaped but %69 is not over-escaped. HTML escaping is \
done.<br> > + \
`greeting=H%69,&amp;addressee=%28World%29`,<br> > + \
`greeting%3dH%2569%2c%26addressee%3d%28World%29%202x%2c%20https%3a%2f%<a \
href="http://2fgolang.org" rel="noreferrer" \
target="_blank">2fgolang.org</a>%2ffavicon.ico%20500.5w`,<br> > +@@ -268,7 +268,7 \
@@ func TestTypedContent(t *testing.T) {<br> > + \
`Hello%2c%20%3cb%3eWorld%3c%2fb%3e%20%26amp%3btc%21`,<br> > + \
`%20dir%3d%22ltr%22`,<br> > + \
`c%20%26%26%20alert%28%22Hello%2c%20World%21%22%29%3b`,<br> > +- \
`Hello%2c%20World%20%26%20O%27Reilly%5cx21`,<br> > ++ \
`Hello%2c%20World%20%26%20O%27Reilly%5cu0021`,<br> > + \
// Quotes and parens are escaped but %69 is not over-escaped. HTML escaping is not \
done.<br> > + \
`greeting=H%69,&addressee=%28World%29`,<br> > + \
`greeting%3dH%2569%2c%26addressee%3d%28World%29%202x%2c%20https%3a%2f%<a \
href="http://2fgolang.org" rel="noreferrer" \
target="_blank">2fgolang.org</a>%2ffavicon.ico%20500.5w`,<br> > +diff --git \
a/src/html/template/escape_test.go b/src/html/template/escape_test.go<br> > +index \
e72a9ba..c709660 100644<br> > +--- a/src/html/template/escape_test.go<br>
> ++++ b/src/html/template/escape_test.go<br>
> +@@ -238,7 +238,7 @@ func TestEscape(t *testing.T) {<br>
> + {<br>
> + "jsStr",<br>
> + "<button \
onclick='alert(&quot;{{.H}}&quot;)'>",<br> > +- \
`<button onclick='alert(&quot;\x3cHello\x3e&quot;)'>`,<br> > \
++ `<button \
onclick='alert(&quot;\u003cHello\u003e&quot;)'>`,<br> > + \
},<br> > + {<br>
> + "badMarshaler",<br>
> +@@ -259,7 +259,7 @@ func TestEscape(t *testing.T) {<br>
> + {<br>
> + "jsRe",<br>
> + `<button \
onclick='alert(/{{"foo+bar"}}/.test(""))'>`,<br> > \
+- `<button \
onclick='alert(/foo\x2bbar/.test(""))'>`,<br> > ++ \
`<button onclick='alert(/foo\u002bbar/.test(""))'>`,<br> > \
+ },<br> > + {<br>
> + "jsReBlank",<br>
> +@@ -825,7 +825,7 @@ func TestEscapeSet(t *testing.T) {<br>
> + "main": \
`<button onclick="title='{{template "helper"}}'; \
...">{{template "helper"}}</button>`,<br> > + \
"helper": `{{11}} of {{"<100>"}}`,<br> > + \
},<br> > +- `<button \
onclick="title='11 of \x3c100\x3e'; ...">11 of \
&lt;100&gt;</button>`,<br> > ++ \
`<button onclick="title='11 of \u003c100\u003e'; ...">11 of \
&lt;100&gt;</button>`,<br> > + },<br>
> + // A non-recursive template that ends in a different \
context.<br> > + // helper starts in jsCtxRegexp and ends in \
jsCtxDivOp.<br> > +diff --git a/src/html/template/example_test.go \
b/src/html/template/example_test.go<br> > +index 9d965f1..6cf936f 100644<br>
> +--- a/src/html/template/example_test.go<br>
> ++++ b/src/html/template/example_test.go<br>
> +@@ -116,9 +116,9 @@ func Example_escape() {<br>
> + // &#34;Fran &amp; Freddie&#39;s Diner&#34; &<a \
href="mailto:lt%3Btasty@example.com" \
target="_blank">lt;tasty@example.com</a>&gt;<br> > + // \
&#34;Fran &amp; Freddie&#39;s Diner&#34; &<a \
href="mailto:lt%3Btasty@example.com" \
target="_blank">lt;tasty@example.com</a>&gt;<br> > + // \
&#34;Fran &amp; Freddie&#39;s Diner&#<a \
href="mailto:34%3B32%26lt%3Btasty@example.com" \
target="_blank">34;32&lt;tasty@example.com</a>&gt;<br> > +- // \
\"Fran \x26 Freddie\'s Diner\" \<a href="mailto:x3Ctasty@example.com" \
target="_blank">x3Ctasty@example.com</a>\x3E<br> > +- // \"Fran \x26 \
Freddie\'s Diner\" \<a href="mailto:x3Ctasty@example.com" \
target="_blank">x3Ctasty@example.com</a>\x3E<br> > +- // \"Fran \x26 \
Freddie\'s Diner\"32\<a href="mailto:x3Ctasty@example.com" \
target="_blank">x3Ctasty@example.com</a>\x3E<br> > ++ // \"Fran \
\u0026 Freddie\'s Diner\" \<a href="mailto:u003Ctasty@example.com" \
target="_blank">u003Ctasty@example.com</a>\u003E<br> > ++ // \"Fran \
\u0026 Freddie\'s Diner\" \<a href="mailto:u003Ctasty@example.com" \
target="_blank">u003Ctasty@example.com</a>\u003E<br> > ++ // \"Fran \
\u0026 Freddie\'s Diner\"32\<a href="mailto:u003Ctasty@example.com" \
target="_blank">u003Ctasty@example.com</a>\u003E<br> > + // \
%22Fran+%26+Freddie%27s+Diner%2232%3Ctasty%<a href="http://40example.com" \
rel="noreferrer" target="_blank">40example.com</a>%3E<br> > +<br>
> + }<br>
> diff --git a/src/html/template/js.go b/src/html/template/js.go<br>
> index 0e91458..ea9c183 100644<br>
> --- a/src/html/template/js.go<br>
> @@ -173,6 +401,217 @@ index 0e91458..ea9c183 100644<br>
> '?': `\?`,<br>
> '[': `\[`,<br>
> '\\': `\\`,<br>
> +diff --git a/src/html/template/js_test.go b/src/html/template/js_test.go<br>
> +index 075adaa..d7ee47b 100644<br>
> +--- a/src/html/template/js_test.go<br>
> ++++ b/src/html/template/js_test.go<br>
> +@@ -137,7 +137,7 @@ func TestJSValEscaper(t *testing.T) {<br>
> + {"foo", `"foo"`},<br>
> + // Newlines.<br>
> + {"\r\n\u2028\u2029", \
`"\r\n\u2028\u2029"`},<br> > +- // "\v" == \
"v" on IE 6 so use "\x0b" instead.<br> > ++ \
// "\v" == "v" on IE 6 so use "\u000b" instead.<br> \
> + {"\t\x0b", `"\t\u000b"`},<br> > + \
{struct{ X, Y int }{1, 2}, `{"X":1,"Y":2}`},<br> > + \
{[]interface{}{}, "[]"},<br> > +@@ -173,7 +173,7 @@ func \
TestJSStrEscaper(t *testing.T) {<br> > + }{<br>
> + {"", ``},<br>
> + {"foo", `foo`},<br>
> +- {"\u0000", `\0`},<br>
> ++ {"\u0000", `\u0000`},<br>
> + {"\t", `\t`},<br>
> + {"\n", `\n`},<br>
> + {"\r", `\r`},<br>
> +@@ -183,14 +183,14 @@ func TestJSStrEscaper(t *testing.T) {<br>
> + {"\\n", `\\n`},<br>
> + {"foo\r\nbar", `foo\r\nbar`},<br>
> + // Preserve attribute boundaries.<br>
> +- {`"`, `\x22`},<br>
> +- {`'`, `\x27`},<br>
> ++ {`"`, `\u0022`},<br>
> ++ {`'`, `\u0027`},<br>
> + // Allow embedding in HTML without further escaping.<br>
> +- {`&amp;`, `\x26amp;`},<br>
> ++ {`&amp;`, `\u0026amp;`},<br>
> + // Prevent breaking out of text node and element \
boundaries.<br> > +- {"</script>", \
`\x3c\/script\x3e`},<br> > +- {"<![CDATA[", \
`\x3c![CDATA[`},<br> > +- {"]]>", `]]\x3e`},<br>
> ++ {"</script>", \
`\u003c\/script\u003e`},<br> > ++ {"<![CDATA[", \
`\u003c![CDATA[`},<br> > ++ {"]]>", \
`]]\u003e`},<br> > + // <a \
href="https://dev.w3.org/html5/markup/aria/syntax.html#escaping-text-span" \
rel="noreferrer" target="_blank">https://dev.w3.org/html5/markup/aria/syntax.html#escaping-text-span</a><br>
> + // "The text in style, script, title, and \
textarea elements<br> > + // must not have an escaping \
text span start that is not<br> > +@@ -201,11 +201,11 @@ func TestJSStrEscaper(t \
*testing.T) {<br> > + // allow regular text content to be \
interpreted as script<br> > + // allowing script execution \
via a combination of a JS string<br> > + // injection \
followed by an HTML text injection.<br> > +- \
{"<!--", `\x3c!--`},<br> > +- \
{"-->", `--\x3e`},<br> > ++ {"<!--", \
`\u003c!--`},<br> > ++ {"-->", `--\u003e`},<br>
> + // From <a \
href="https://code.google.com/p/doctype/wiki/ArticleUtf7" rel="noreferrer" \
target="_blank">https://code.google.com/p/doctype/wiki/ArticleUtf7</a><br> > + \
{"+ADw-script+AD4-alert(1)+ADw-/script+AD4-",<br> > +- \
`\x2bADw-script\x2bAD4-alert(1)\x2bADw-\/script\x2bAD4-`,<br> > ++ \
`\u002bADw-script\u002bAD4-alert(1)\u002bADw-\/script\u002bAD4-`,<br> > + \
},<br> > + // Invalid UTF-8 sequence<br>
> + {"foo\xA0bar", "foo\xA0bar"},<br>
> +@@ -228,7 +228,7 @@ func TestJSRegexpEscaper(t *testing.T) {<br>
> + }{<br>
> + {"", `(?:)`},<br>
> + {"foo", `foo`},<br>
> +- {"\u0000", `\0`},<br>
> ++ {"\u0000", `\u0000`},<br>
> + {"\t", `\t`},<br>
> + {"\n", `\n`},<br>
> + {"\r", `\r`},<br>
> +@@ -238,19 +238,19 @@ func TestJSRegexpEscaper(t *testing.T) {<br>
> + {"\\n", `\\n`},<br>
> + {"foo\r\nbar", `foo\r\nbar`},<br>
> + // Preserve attribute boundaries.<br>
> +- {`"`, `\x22`},<br>
> +- {`'`, `\x27`},<br>
> ++ {`"`, `\u0022`},<br>
> ++ {`'`, `\u0027`},<br>
> + // Allow embedding in HTML without further escaping.<br>
> +- {`&amp;`, `\x26amp;`},<br>
> ++ {`&amp;`, `\u0026amp;`},<br>
> + // Prevent breaking out of text node and element \
boundaries.<br> > +- {"</script>", \
`\x3c\/script\x3e`},<br> > +- {"<![CDATA[", \
`\x3c!\[CDATA\[`},<br> > +- {"]]>", \
`\]\]\x3e`},<br> > ++ {"</script>", \
`\u003c\/script\u003e`},<br> > ++ {"<![CDATA[", \
`\u003c!\[CDATA\[`},<br> > ++ {"]]>", \
`\]\]\u003e`},<br> > + // Escaping text spans.<br>
> +- {"<!--", `\x3c!\-\-`},<br>
> +- {"-->", `\-\-\x3e`},<br>
> ++ {"<!--", `\u003c!\-\-`},<br>
> ++ {"-->", `\-\-\u003e`},<br>
> + {"*", `\*`},<br>
> +- {"+", `\x2b`},<br>
> ++ {"+", `\u002b`},<br>
> + {"?", `\?`},<br>
> + {"[](){}", `\[\]\(\)\{\}`},<br>
> + {"$foo|x.y", `\$foo\|x\.y`},<br>
> +@@ -284,27 +284,27 @@ func TestEscapersOnLower7AndSelectHighCodepoints(t \
*testing.T) {<br> > + {<br>
> + "jsStrEscaper",<br>
> + jsStrEscaper,<br>
> +- "\\0\x01\x02\x03\x04\x05\x06\x07" \
+<br> > +- \
"\x08\\t\\n\\x0b\\f\\r\x0E\x0F" +<br> > +- \
"\x10\x11\x12\x13\x14\x15\x16\x17" +<br> > +- \
"\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" +<br> > +- \
` !\x22#$%\x26\x27()*\x2b,-.\/` +<br> > +- \
`0123456789:;\x3c=\x3e?` +<br> > ++ \
`\u0000\u0001\u0002\u0003\u0004\u0005\u0006\u0007` +<br> > ++ \
`\u0008\t\n\u000b\f\r\u000e\u000f` +<br> > ++ \
`\u0010\u0011\u0012\u0013\u0014\u0015\u0016\u0017` +<br> > ++ \
`\u0018\u0019\u001a\u001b\u001c\u001d\u001e\u001f` +<br> > ++ \
` !\u0022#$%\u0026\u0027()*\u002b,-.\/` +<br> > ++ \
`0123456789:;\u003c=\u003e?` +<br> > + \
`@ABCDEFGHIJKLMNO` +<br> > + \
`PQRSTUVWXYZ[\\]^_` +<br> > + \
"`abcdefghijklmno" +<br> > +- \
"pqrstuvwxyz{|}~\x7f" +<br> > ++ \
"pqrstuvwxyz{|}~\u007f" +<br> > + \
"\u00A0\u0100\\u2028\\u2029\ufeff\U0001D11E",<br> > + \
},<br> > + {<br>
> + "jsRegexpEscaper",<br>
> + jsRegexpEscaper,<br>
> +- "\\0\x01\x02\x03\x04\x05\x06\x07" \
+<br> > +- \
"\x08\\t\\n\\x0b\\f\\r\x0E\x0F" +<br> > +- \
"\x10\x11\x12\x13\x14\x15\x16\x17" +<br> > +- \
"\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" +<br> > +- \
` !\x22#\$%\x26\x27\(\)\*\x2b,\-\.\/` +<br> > +- \
`0123456789:;\x3c=\x3e\?` +<br> > ++ \
`\u0000\u0001\u0002\u0003\u0004\u0005\u0006\u0007` +<br> > ++ \
`\u0008\t\n\u000b\f\r\u000e\u000f` +<br> > ++ \
`\u0010\u0011\u0012\u0013\u0014\u0015\u0016\u0017` +<br> > ++ \
`\u0018\u0019\u001a\u001b\u001c\u001d\u001e\u001f` +<br> > ++ \
` !\u0022#\$%\u0026\u0027\(\)\*\u002b,\-\.\/` +<br> > ++ \
`0123456789:;\u003c=\u003e\?` +<br> > + \
`@ABCDEFGHIJKLMNO` +<br> > + \
`PQRSTUVWXYZ\[\\\]\^_` +<br> > + \
"`abcdefghijklmno" +<br> > +diff --git \
a/src/html/template/template_test.go b/src/html/template/template_test.go<br> > \
+index 13e6ba4..86bd4db 100644<br> > +--- a/src/html/template/template_test.go<br>
> ++++ b/src/html/template/template_test.go<br>
> +@@ -6,6 +6,7 @@ package template_test<br>
> +<br>
> + import (<br>
> + "bytes"<br>
> ++ "encoding/json"<br>
> + . "html/template"<br>
> + "strings"<br>
> + "testing"<br>
> +@@ -121,6 +122,44 @@ func TestNumbers(t *testing.T) {<br>
> + c.mustExecute(c.root, nil, "12.34 7.5")<br>
> + }<br>
> +<br>
> ++func TestStringsInScriptsWithJsonContentTypeAreCorrectlyEscaped(t *testing.T) \
{<br> > ++ // See #33671 and #37634 for more context on this.<br>
> ++ tests := []struct{ name, in string }{<br>
> ++ {"empty", ""},<br>
> ++ {"invalid", string(rune(-1))},<br>
> ++ {"null", "\u0000"},<br>
> ++ {"unit separator", "\u001F"},<br>
> ++ {"tab", "\t"},<br>
> ++ {"gt and lt", "<>"},<br>
> ++ {"quotes", `'"`},<br>
> ++ {"ASCII letters", "ASCII \
letters"},<br> > ++ {"Unicode", \
"ʕ⊙ϖ⊙ʔ"},<br> > ++ {"Pizza", \
"🍕"},<br> > ++ }<br>
> ++ const (<br>
> ++ prefix = `<script \
type="application/ld+json">`<br> > ++ suffix = \
`</script>`<br> > ++ templ = prefix + \
`"{{.}}"` + suffix<br> > ++ )<br>
> ++ tpl := Must(New("JS string is JSON \
string").Parse(templ))<br> > ++ for _, tt := range tests {<br>
> ++ t.Run(<a href="http://tt.name" rel="noreferrer" \
target="_blank">tt.name</a>, func(t *testing.T) {<br> > ++ \
var buf bytes.Buffer<br> > ++ if err := \
tpl.Execute(&buf, <a href="http://tt.in" rel="noreferrer" \
target="_blank">tt.in</a>); err != nil {<br> > ++ \
t.Fatalf("Cannot render template: %v", err)<br> > ++ \
}<br> > ++ trimmed := \
bytes.TrimSuffix(bytes.TrimPrefix(buf.Bytes(), []byte(prefix)), []byte(suffix))<br> \
> ++ var got string<br> > ++ \
if err := json.Unmarshal(trimmed, &got); err != nil {<br> > ++ \
t.Fatalf("Cannot parse JS string %q as JSON: %v", \
trimmed[1:len(trimmed)-1], err)<br> > ++ }<br>
> ++ if got != <a href="http://tt.in" \
rel="noreferrer" target="_blank">tt.in</a> {<br> > ++ \
t.Errorf("Serialization changed the string value: got %q want %q", got, <a \
href="http://tt.in" rel="noreferrer" target="_blank">tt.in</a>)<br> > ++ \
}<br> > ++ })<br>
> ++ }<br>
> ++}<br>
> ++<br>
> + type testCase struct {<br>
> + t *testing.T<br>
> + root *Template<br>
> +diff --git a/src/text/template/exec_test.go \
b/src/text/template/exec_test.go<br> > +index 77294ed..b8a809e 100644<br>
> +--- a/src/text/template/exec_test.go<br>
> ++++ b/src/text/template/exec_test.go<br>
> +@@ -911,9 +911,9 @@ func TestJSEscaping(t *testing.T) {<br>
> + {`Go "jump" \`, `Go \"jump\" \
\\`},<br> > + {`Yukihiro says "今日は世界"`, \
`Yukihiro says \"今日は世界\"`},<br> > + \
{"unprintable \uFDFF", `unprintable \uFDFF`},<br> > +- \
{`<html>`, `\x3Chtml\x3E`},<br> > +- {`no = in \
attributes`, `no \x3D in attributes`},<br> > +- {`&#x27; \
does not become HTML entity`, `\x26#x27; does not become HTML entity`},<br> > ++ \
{`<html>`, `\u003Chtml\u003E`},<br> > ++ {`no = in \
attributes`, `no \u003D in attributes`},<br> > ++ {`&#x27; \
does not become HTML entity`, `\u0026#x27; does not become HTML entity`},<br> > + \
}<br> > + for _, tc := range testCases {<br>
> + s := JSEscapeString(<a href="http://tc.in" \
rel="noreferrer" target="_blank">tc.in</a>)<br> > diff --git \
a/src/text/template/funcs.go b/src/text/template/funcs.go<br> > index \
46125bc..f3de9fb 100644<br> > --- a/src/text/template/funcs.go<br>
> diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538_3.patch \
b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538_3.patch<br> > new file mode \
100644<br> > index 0000000000..cd7dd0957c<br>
> --- /dev/null<br>
> +++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538_3.patch<br>
> @@ -0,0 +1,393 @@<br>
> +From 7ddce23c7d5b728acf8482f5006497c7b9915f8a Mon Sep 17 00:00:00 2001<br>
> +From: Ariel Mashraki <<a href="mailto:ariel@mashraki.co.il" \
target="_blank">ariel@mashraki.co.il</a>><br> > +Date: Wed, 22 Apr 2020 \
22:17:56 +0300<br> > +Subject: [PATCH 3/6] text/template: add CommentNode to \
template parse tree<br> > +MIME-Version: 1.0<br>
> +Content-Type: text/plain; charset=UTF-8<br>
> +Content-Transfer-Encoding: 8bit<br>
> +<br>
> +Fixes #34652<br>
> +<br>
> +Change-Id: Icf6e3eda593fed826736f34f95a9d66f5450cc98<br>
> +Reviewed-on: <a href="https://go-review.googlesource.com/c/go/+/229398" \
rel="noreferrer" target="_blank">https://go-review.googlesource.com/c/go/+/229398</a><br>
> +Reviewed-by: Daniel Martí <<a href="mailto:mvdan@mvdan.cc" \
target="_blank">mvdan@mvdan.cc</a>><br> > +Run-TryBot: Daniel Martí <<a \
href="mailto:mvdan@mvdan.cc" target="_blank">mvdan@mvdan.cc</a>><br> > \
+TryBot-Result: Gobot Gobot <<a href="mailto:gobot@golang.org" \
target="_blank">gobot@golang.org</a>><br> > +<br>
> +Dependency Patch #3<br>
> +<br>
> +Upstream-Status: Backport from <a \
href="https://github.com/golang/go/commit/c8ea03828b0645b1fd5725888e44873b75fcfbb6" \
rel="noreferrer" target="_blank">https://github.com/golang/go/commit/c8ea03828b0645b1fd5725888e44873b75fcfbb6</a><br>
> +CVE: CVE-2023-24538<br>
> +Signed-off-by: Shubham Kulkarni <<a href="mailto:skulkarni@mvista.com" \
target="_blank">skulkarni@mvista.com</a>><br> > +---<br>
> + api/next.txt | 19 \
+++++++++++++++++++<br> > + src/html/template/escape.go | 2 \
++<br> > + src/html/template/template_test.go | 16 ++++++++++++++++<br>
> + src/text/template/exec.go | 1 +<br>
> + src/text/template/parse/lex.go | 8 +++++++-<br>
> + src/text/template/parse/lex_test.go | 7 +++++--<br>
> + src/text/template/parse/node.go | 33 \
+++++++++++++++++++++++++++++++++<br> > + src/text/template/parse/parse.go \
| 22 +++++++++++++++++++---<br> > + src/text/template/parse/parse_test.go | 25 \
+++++++++++++++++++++++++<br> > + 9 files changed, 127 insertions(+), 6 \
deletions(-)<br> > +<br>
> +diff --git a/api/next.txt b/api/next.txt<br>
> +index e69de29..076f39e 100644<br>
> +--- a/api/next.txt<br>
> ++++ b/api/next.txt<br>
> +@@ -0,0 +1,19 @@<br>
> ++pkg unicode, const Version = "13.0.0"<br>
> ++pkg unicode, var Chorasmian *RangeTable<br>
> ++pkg unicode, var Dives_Akuru *RangeTable<br>
> ++pkg unicode, var Khitan_Small_Script *RangeTable<br>
> ++pkg unicode, var Yezidi *RangeTable<br>
> ++pkg text/template/parse, const NodeComment = 20<br>
> ++pkg text/template/parse, const NodeComment NodeType<br>
> ++pkg text/template/parse, const ParseComments = 1<br>
> ++pkg text/template/parse, const ParseComments Mode<br>
> ++pkg text/template/parse, method (*CommentNode) Copy() Node<br>
> ++pkg text/template/parse, method (*CommentNode) String() string<br>
> ++pkg text/template/parse, method (CommentNode) Position() Pos<br>
> ++pkg text/template/parse, method (CommentNode) Type() NodeType<br>
> ++pkg text/template/parse, type CommentNode struct<br>
> ++pkg text/template/parse, type CommentNode struct, Text string<br>
> ++pkg text/template/parse, type CommentNode struct, embedded NodeType<br>
> ++pkg text/template/parse, type CommentNode struct, embedded Pos<br>
> ++pkg text/template/parse, type Mode uint<br>
> ++pkg text/template/parse, type Tree struct, Mode Mode<br>
> +diff --git a/src/html/template/escape.go b/src/html/template/escape.go<br>
> +index f12dafa..8739735 100644<br>
> +--- a/src/html/template/escape.go<br>
> ++++ b/src/html/template/escape.go<br>
> +@@ -124,6 +124,8 @@ func (e *escaper) escape(c context, n parse.Node) context \
{<br> > + switch n := n.(type) {<br>
> + case *parse.ActionNode:<br>
> + return e.escapeAction(c, n)<br>
> ++ case *parse.CommentNode:<br>
> ++ return c<br>
> + case *parse.IfNode:<br>
> + return e.escapeBranch(c, &n.BranchNode, \
"if")<br> > + case *parse.ListNode:<br>
> +diff --git a/src/html/template/template_test.go \
b/src/html/template/template_test.go<br> > +index 86bd4db..1f2c888 100644<br>
> +--- a/src/html/template/template_test.go<br>
> ++++ b/src/html/template/template_test.go<br>
> +@@ -10,6 +10,7 @@ import (<br>
> + . "html/template"<br>
> + "strings"<br>
> + "testing"<br>
> ++ "text/template/parse"<br>
> + )<br>
> +<br>
> + func TestTemplateClone(t *testing.T) {<br>
> +@@ -160,6 +161,21 @@ func \
TestStringsInScriptsWithJsonContentTypeAreCorrectlyEscaped(t *testing.T) {<br> > + \
}<br> > + }<br>
> +<br>
> ++func TestSkipEscapeComments(t *testing.T) {<br>
> ++ c := newTestCase(t)<br>
> ++ tr := parse.New("root")<br>
> ++ tr.Mode = parse.ParseComments<br>
> ++ newT, err := tr.Parse("{{/* A comment */}}{{ 1 }}{{/* Another \
comment */}}", "", "", make(map[string]*parse.Tree))<br> \
> ++ if err != nil {<br> > ++ t.Fatalf("Cannot \
parse template text: %v", err)<br> > ++ }<br>
> ++ c.root, err = c.root.AddParseTree("root", newT)<br>
> ++ if err != nil {<br>
> ++ t.Fatalf("Cannot add parse tree to template: \
%v", err)<br> > ++ }<br>
> ++ c.mustExecute(c.root, nil, "1")<br>
> ++}<br>
> ++<br>
> + type testCase struct {<br>
> + t *testing.T<br>
> + root *Template<br>
> +diff --git a/src/text/template/exec.go b/src/text/template/exec.go<br>
> +index ac3e741..7ac5175 100644<br>
> +--- a/src/text/template/exec.go<br>
> ++++ b/src/text/template/exec.go<br>
> +@@ -256,6 +256,7 @@ func (s *state) walk(dot reflect.Value, node parse.Node) \
{<br> > + if len(node.Pipe.Decl) == 0 {<br>
> + s.printValue(node, val)<br>
> + }<br>
> ++ case *parse.CommentNode:<br>
> + case *parse.IfNode:<br>
> + s.walkIfOrWith(parse.NodeIf, dot, node.Pipe, node.List, \
node.ElseList)<br> > + case *parse.ListNode:<br>
> +diff --git a/src/text/template/parse/lex.go \
b/src/text/template/parse/lex.go<br> > +index 30371f2..e41373a 100644<br>
> +--- a/src/text/template/parse/lex.go<br>
> ++++ b/src/text/template/parse/lex.go<br>
> +@@ -41,6 +41,7 @@ const (<br>
> + itemBool // boolean \
constant<br> > + itemChar // \
printable ASCII character; grab bag for comma etc.<br> > + \
itemCharConstant // character constant<br> > ++ \
itemComment // comment text<br> > + \
itemComplex // complex constant (1+2i); imaginary is \
just a number<br> > + itemAssign // \
equals ('=') introducing an assignment<br> > + itemDeclare \
// colon-equals (':=') introducing a declaration<br> > +@@ -112,6 +113,7 \
@@ type lexer struct {<br> > + leftDelim string // start of \
action<br> > + rightDelim string // end of action<br>
> + trimRightDelim string // end of action with trim marker<br>
> ++ emitComment bool // emit itemComment tokens.<br>
> + pos Pos // current position in the \
input<br> > + start Pos // start position of \
this item<br> > + width Pos // width of last \
rune read from input<br> > +@@ -203,7 +205,7 @@ func (l *lexer) drain() {<br>
> + }<br>
> +<br>
> + // lex creates a new scanner for the input string.<br>
> +-func lex(name, input, left, right string) *lexer {<br>
> ++func lex(name, input, left, right string, emitComment bool) *lexer {<br>
> + if left == "" {<br>
> + left = leftDelim<br>
> + }<br>
> +@@ -216,6 +218,7 @@ func lex(name, input, left, right string) *lexer {<br>
> + leftDelim: left,<br>
> + rightDelim: right,<br>
> + trimRightDelim: rightTrimMarker + right,<br>
> ++ emitComment: emitComment,<br>
> + items: make(chan item),<br>
> + line: 1,<br>
> + startLine: 1,<br>
> +@@ -323,6 +326,9 @@ func lexComment(l *lexer) stateFn {<br>
> + if !delim {<br>
> + return l.errorf("comment ends before closing \
delimiter")<br> > + }<br>
> ++ if l.emitComment {<br>
> ++ l.emit(itemComment)<br>
> ++ }<br>
> + if trimSpace {<br>
> + l.pos += trimMarkerLen<br>
> + }<br>
> +diff --git a/src/text/template/parse/lex_test.go \
b/src/text/template/parse/lex_test.go<br> > +index 563c4fc..f6d5f28 100644<br>
> +--- a/src/text/template/parse/lex_test.go<br>
> ++++ b/src/text/template/parse/lex_test.go<br>
> +@@ -15,6 +15,7 @@ var itemName = map[itemType]string{<br>
> + itemBool: "bool",<br>
> + itemChar: "char",<br>
> + itemCharConstant: "charconst",<br>
> ++ itemComment: "comment",<br>
> + itemComplex: "complex",<br>
> + itemDeclare: ":=",<br>
> + itemEOF: "EOF",<br>
> +@@ -90,6 +91,7 @@ var lexTests = []lexTest{<br>
> + {"text", `now is the time`, []item{mkItem(itemText, \
"now is the time"), tEOF}},<br> > + {"text with \
comment", "hello-{{/* this is a comment */}}-world", []item{<br> > \
+ mkItem(itemText, "hello-"),<br> > ++ \
mkItem(itemComment, "/* this is a comment */"),<br> > + \
mkItem(itemText, "-world"),<br> > + tEOF,<br>
> + }},<br>
> +@@ -311,6 +313,7 @@ var lexTests = []lexTest{<br>
> + }},<br>
> + {"trimming spaces before and after comment", "hello- \
{{- /* hello */ -}} -world", []item{<br> > + \
mkItem(itemText, "hello-"),<br> > ++ \
mkItem(itemComment, "/* hello */"),<br> > + \
mkItem(itemText, "-world"),<br> > + tEOF,<br>
> + }},<br>
> +@@ -389,7 +392,7 @@ var lexTests = []lexTest{<br>
> +<br>
> + // collect gathers the emitted items into a slice.<br>
> + func collect(t *lexTest, left, right string) (items []item) {<br>
> +- l := lex(<a href="http://t.name" rel="noreferrer" \
target="_blank">t.name</a>, t.input, left, right)<br> > ++ l := lex(<a \
href="http://t.name" rel="noreferrer" target="_blank">t.name</a>, t.input, left, \
right, true)<br> > + for {<br>
> + item := l.nextItem()<br>
> + items = append(items, item)<br>
> +@@ -529,7 +532,7 @@ func TestPos(t *testing.T) {<br>
> + func TestShutdown(t *testing.T) {<br>
> + // We need to duplicate template.Parse here to hold on to the \
lexer.<br> > + const text = \
"erroneous{{define}}{{else}}1234"<br> > +- lexer := \
lex("foo", text, "{{", "}}")<br> > ++ lexer \
:= lex("foo", text, "{{", "}}", false)<br> > + \
_, err := New("root").parseLexer(lexer)<br> > + if err == nil \
{<br> > + t.Fatalf("expected error")<br>
> +diff --git a/src/text/template/parse/node.go \
b/src/text/template/parse/node.go<br> > +index 1c116ea..a9dad5e 100644<br>
> +--- a/src/text/template/parse/node.go<br>
> ++++ b/src/text/template/parse/node.go<br>
> +@@ -70,6 +70,7 @@ const (<br>
> + NodeTemplate // A template invocation \
action.<br> > + NodeVariable // A $ \
variable.<br> > + NodeWith // A with \
action.<br> > ++ NodeComment // A \
comment.<br> > + )<br>
> +<br>
> + // Nodes.<br>
> +@@ -149,6 +150,38 @@ func (t *TextNode) Copy() Node {<br>
> + return &TextNode{tr: <a href="http://t.tr" rel="noreferrer" \
target="_blank">t.tr</a>, NodeType: NodeText, Pos: t.Pos, Text: append([]byte{}, \
t.Text...)}<br> > + }<br>
> +<br>
> ++// CommentNode holds a comment.<br>
> ++type CommentNode struct {<br>
> ++ NodeType<br>
> ++ Pos<br>
> ++ tr *Tree<br>
> ++ Text string // Comment text.<br>
> ++}<br>
> ++<br>
> ++func (t *Tree) newComment(pos Pos, text string) *CommentNode {<br>
> ++ return &CommentNode{tr: t, NodeType: NodeComment, Pos: pos, Text: \
text}<br> > ++}<br>
> ++<br>
> ++func (c *CommentNode) String() string {<br>
> ++ var sb strings.Builder<br>
> ++ c.writeTo(&sb)<br>
> ++ return sb.String()<br>
> ++}<br>
> ++<br>
> ++func (c *CommentNode) writeTo(sb *strings.Builder) {<br>
> ++ sb.WriteString("{{")<br>
> ++ sb.WriteString(c.Text)<br>
> ++ sb.WriteString("}}")<br>
> ++}<br>
> ++<br>
> ++func (c *CommentNode) tree() *Tree {<br>
> ++ return <a href="http://c.tr" rel="noreferrer" \
target="_blank">c.tr</a><br> > ++}<br>
> ++<br>
> ++func (c *CommentNode) Copy() Node {<br>
> ++ return &CommentNode{tr: <a href="http://c.tr" rel="noreferrer" \
target="_blank">c.tr</a>, NodeType: NodeComment, Pos: c.Pos, Text: c.Text}<br> > \
++}<br> > ++<br>
> + // PipeNode holds a pipeline with optional declaration<br>
> + type PipeNode struct {<br>
> + NodeType<br>
> +diff --git a/src/text/template/parse/parse.go \
b/src/text/template/parse/parse.go<br> > +index c9b80f4..496d8bf 100644<br>
> +--- a/src/text/template/parse/parse.go<br>
> ++++ b/src/text/template/parse/parse.go<br>
> +@@ -21,6 +21,7 @@ type Tree struct {<br>
> + Name string // name of the template represented by the \
tree.<br> > + ParseName string // name of the top-level template \
during parsing, for error messages.<br> > + Root *ListNode // \
top-level root of the tree.<br> > ++ Mode Mode // parsing \
mode.<br> > + text string // text parsed to create the \
template (or its parent)<br> > + // Parsing only; cleared after \
parse.<br> > + funcs []map[string]interface{}<br>
> +@@ -29,8 +30,16 @@ type Tree struct {<br>
> + peekCount int<br>
> + vars []string // variables defined at the moment.<br>
> + treeSet map[string]*Tree<br>
> ++ mode Mode<br>
> + }<br>
> +<br>
> ++// A mode value is a set of flags (or 0). Modes control parser behavior.<br>
> ++type Mode uint<br>
> ++<br>
> ++const (<br>
> ++ ParseComments Mode = 1 << iota // parse comments and add them \
to AST<br> > ++)<br>
> ++<br>
> + // Copy returns a copy of the Tree. Any parsing state is discarded.<br>
> + func (t *Tree) Copy() *Tree {<br>
> + if t == nil {<br>
> +@@ -220,7 +229,8 @@ func (t *Tree) stopParse() {<br>
> + func (t *Tree) Parse(text, leftDelim, rightDelim string, treeSet \
map[string]*Tree, funcs ...map[string]interface{}) (tree *Tree, err error) {<br> > \
+ defer t.recover(&err)<br> > + t.ParseName = t.Name<br>
> +- t.startParse(funcs, lex(t.Name, text, leftDelim, rightDelim), \
treeSet)<br> > ++ emitComment := t.Mode&ParseComments != 0<br>
> ++ t.startParse(funcs, lex(t.Name, text, leftDelim, rightDelim, \
emitComment), treeSet)<br> > + t.text = text<br>
> + t.parse()<br>
> + t.add()<br>
> +@@ -240,12 +250,14 @@ func (t *Tree) add() {<br>
> + }<br>
> + }<br>
> +<br>
> +-// IsEmptyTree reports whether this tree (node) is empty of everything but \
space.<br> > ++// IsEmptyTree reports whether this tree (node) is empty of \
everything but space or comments.<br> > + func IsEmptyTree(n Node) bool {<br>
> + switch n := n.(type) {<br>
> + case nil:<br>
> + return true<br>
> + case *ActionNode:<br>
> ++ case *CommentNode:<br>
> ++ return true<br>
> + case *IfNode:<br>
> + case *ListNode:<br>
> + for _, node := range n.Nodes {<br>
> +@@ -276,6 +288,7 @@ func (t *Tree) parse() {<br>
> + if t.nextNonSpace().typ == itemDefine {<br>
> + newT := \
New("definition") // name will be updated once we know it.<br> > + \
newT.text = t.text<br> > ++ newT.Mode \
= t.Mode<br> > + newT.ParseName = \
t.ParseName<br> > + \
newT.startParse(t.funcs, t.lex, t.treeSet)<br> > + \
newT.parseDefinition()<br> > +@@ -331,13 +344,15 @@ func (t *Tree) itemList() \
(list *ListNode, next Node) {<br> > + }<br>
> +<br>
> + // textOrAction:<br>
> +-// text | action<br>
> ++// text | comment | action<br>
> + func (t *Tree) textOrAction() Node {<br>
> + switch token := t.nextNonSpace(); token.typ {<br>
> + case itemText:<br>
> + return t.newText(token.pos, token.val)<br>
> + case itemLeftDelim:<br>
> + return t.action()<br>
> ++ case itemComment:<br>
> ++ return t.newComment(token.pos, token.val)<br>
> + default:<br>
> + t.unexpected(token, "input")<br>
> + }<br>
> +@@ -539,6 +554,7 @@ func (t *Tree) blockControl() Node {<br>
> +<br>
> + block := New(name) // name will be updated once we know it.<br>
> + block.text = t.text<br>
> ++ block.Mode = t.Mode<br>
> + block.ParseName = t.ParseName<br>
> + block.startParse(t.funcs, t.lex, t.treeSet)<br>
> + var end Node<br>
> +diff --git a/src/text/template/parse/parse_test.go \
b/src/text/template/parse/parse_test.go<br> > +index 4e09a78..d9c13c5 100644<br>
> +--- a/src/text/template/parse/parse_test.go<br>
> ++++ b/src/text/template/parse/parse_test.go<br>
> +@@ -348,6 +348,30 @@ func TestParseCopy(t *testing.T) {<br>
> + testParse(true, t)<br>
> + }<br>
> +<br>
> ++func TestParseWithComments(t *testing.T) {<br>
> ++ textFormat = "%q"<br>
> ++ defer func() { textFormat = "%s" }()<br>
> ++ tests := [...]parseTest{<br>
> ++ {"comment", "{{/*\n\n\n*/}}", \
noError, "{{/*\n\n\n*/}}"},<br> > ++ {"comment \
trim left", "x \r\n\t{{- /* hi */}}", noError, `"x"{{/* hi \
*/}}`},<br> > ++ {"comment trim right", "{{/* \
hi */ -}}\n\n\ty", noError, `{{/* hi */}}"y"`},<br> > ++ \
{"comment trim left and right", "x \r\n\t{{- /* */ -}}\n\n\ty", \
noError, `"x"{{/* */}}"y"`},<br> > ++ }<br>
> ++ for _, test := range tests {<br>
> ++ t.Run(<a href="http://test.name" rel="noreferrer" \
target="_blank">test.name</a>, func(t *testing.T) {<br> > ++ \
tr := New(<a href="http://test.name" rel="noreferrer" \
target="_blank">test.name</a>)<br> > ++ tr.Mode = \
ParseComments<br> > ++ tmpl, err := \
tr.Parse(test.input, "", "", make(map[string]*Tree))<br> > ++ \
if err != nil {<br> > ++ \
t.Errorf("%q: expected error; got none", <a href="http://test.name" \
rel="noreferrer" target="_blank">test.name</a>)<br> > ++ \
}<br> > ++ if result := tmpl.Root.String(); result \
!= test.result {<br> > ++ \
t.Errorf("%s=(%q): got\n\t%v\nexpected\n\t%v", <a href="http://test.name" \
rel="noreferrer" target="_blank">test.name</a>, test.input, result, test.result)<br> \
> ++ }<br> > ++ })<br>
> ++ }<br>
> ++}<br>
> ++<br>
> + type isEmptyTest struct {<br>
> + name string<br>
> + input string<br>
> +@@ -358,6 +382,7 @@ var isEmptyTests = []isEmptyTest{<br>
> + {"empty", ``, true},<br>
> + {"nonempty", `hello`, false},<br>
> + {"spaces only", " \t\n \t\n", true},<br>
> ++ {"comment only", "{{/* comment */}}", true},<br>
> + {"definition", `{{define "x"}}something{{end}}`, \
true},<br> > + {"definitions and space", "{{define \
`x`}}something{{end}}\n\n{{define `y`}}something{{end}}\n\n", true},<br> > + \
{"definitions and text", "{{define `x`}}something{{end}}\nx\n{{define \
`y`}}something{{end}}\ny\n", false},<br> > +--<br>
> +2.7.4<br>
> diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538_4.patch \
b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538_4.patch<br> > new file mode \
100644<br> > index 0000000000..d5e2eb6684<br>
> --- /dev/null<br>
> +++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538_4.patch<br>
> @@ -0,0 +1,497 @@<br>
> +From 760d88497091fb5d6d231a18e6f4e06ecb9af9b2 Mon Sep 17 00:00:00 2001<br>
> +From: Russ Cox <<a href="mailto:rsc@golang.org" \
target="_blank">rsc@golang.org</a>><br> > +Date: Thu, 10 Sep 2020 18:53:26 \
-0400<br> > +Subject: [PATCH 4/6] text/template: allow newlines inside action \
delimiters<br> > +<br>
> +This allows multiline constructs like:<br>
> +<br>
> + {{"hello" |<br>
> + printf}}<br>
> +<br>
> +Now that unclosed actions can span multiple lines,<br>
> +track and report the start of the action when reporting errors.<br>
> +<br>
> +Also clean up a few "unexpected <error message>" to be just \
"<error message>".<br> > +<br>
> +Fixes #29770.<br>
> +<br>
> +Change-Id: I54c6c016029a8328b7902a4b6d85eab713ec3285<br>
> +Reviewed-on: <a href="https://go-review.googlesource.com/c/go/+/254257" \
rel="noreferrer" target="_blank">https://go-review.googlesource.com/c/go/+/254257</a><br>
> +Trust: Russ Cox <<a href="mailto:rsc@golang.org" \
target="_blank">rsc@golang.org</a>><br> > +Run-TryBot: Russ Cox <<a \
href="mailto:rsc@golang.org" target="_blank">rsc@golang.org</a>><br> > \
+TryBot-Result: Go Bot <<a href="mailto:gobot@golang.org" \
target="_blank">gobot@golang.org</a>><br> > +Reviewed-by: Rob Pike <<a \
href="mailto:r@golang.org" target="_blank">r@golang.org</a>><br> > +<br>
> +Dependency Patch #4<br>
> +<br>
> +Upstream-Status: Backport from <a \
href="https://github.com/golang/go/commit/9384d34c58099657bb1b133beaf3ff37ada9b017" \
rel="noreferrer" target="_blank">https://github.com/golang/go/commit/9384d34c58099657bb1b133beaf3ff37ada9b017</a><br>
> +CVE: CVE-2023-24538<br>
> +Signed-off-by: Shubham Kulkarni <<a href="mailto:skulkarni@mvista.com" \
target="_blank">skulkarni@mvista.com</a>><br> > +---<br>
> + src/text/template/doc.go | 21 ++++-----<br>
> + src/text/template/exec_test.go | 2 +-<br>
> + src/text/template/parse/lex.go | 84 \
+++++++++++++++++------------------<br> > + src/text/template/parse/lex_test.go \
| 2 +-<br> > + src/text/template/parse/parse.go | 59 \
+++++++++++++-----------<br> > + src/text/template/parse/parse_test.go | 36 \
++++++++++++---<br> > + 6 files changed, 117 insertions(+), 87 deletions(-)<br>
> +<br>
> +diff --git a/src/text/template/doc.go b/src/text/template/doc.go<br>
> +index 4b0efd2..7b30294 100644<br>
> +--- a/src/text/template/doc.go<br>
> ++++ b/src/text/template/doc.go<br>
> +@@ -40,16 +40,17 @@ More intricate examples appear below.<br>
> + Text and spaces<br>
> +<br>
> + By default, all text between actions is copied verbatim when the template \
is<br> > +-executed. For example, the string " items are made of " in \
the example above appears<br> > +-on standard output when the program is run.<br>
> +-<br>
> +-However, to aid in formatting template source code, if an action's left \
delimiter<br> > +-(by default "{{") is followed immediately by a minus \
sign and ASCII space character<br> > +-("{{- "), all trailing white \
space is trimmed from the immediately preceding text.<br> > +-Similarly, if the \
right delimiter ("}}") is preceded by a space and minus sign<br> > \
+-(" -}}"), all leading white space is trimmed from the immediately \
following text.<br> > +-In these trim markers, the ASCII space must be present; \
"{{-3}}" parses as an<br> > +-action containing the number -3.<br>
> ++executed. For example, the string " items are made of " in the \
example above<br> > ++appears on standard output when the program is run.<br>
> ++<br>
> ++However, to aid in formatting template source code, if an action's \
left<br> > ++delimiter (by default "{{") is followed immediately by a \
minus sign and white<br> > ++space, all trailing white space is trimmed from the \
immediately preceding text.<br> > ++Similarly, if the right delimiter \
("}}") is preceded by white space and a minus<br> > ++sign, all leading \
white space is trimmed from the immediately following text.<br> > ++In these trim \
markers, the white space must be present:<br> > ++"{{- 3}}" is like \
"{{3}}" but trims the immediately preceding text, while<br> > \
++"{{-3}}" parses as an action containing the number -3.<br> > +<br>
> + For instance, when executing the template whose source is<br>
> +<br>
> +diff --git a/src/text/template/exec_test.go \
b/src/text/template/exec_test.go<br> > +index b8a809e..3309b33 100644<br>
> +--- a/src/text/template/exec_test.go<br>
> ++++ b/src/text/template/exec_test.go<br>
> +@@ -1295,7 +1295,7 @@ func TestUnterminatedStringError(t *testing.T) {<br>
> + t.Fatal("expected error")<br>
> + }<br>
> + str := err.Error()<br>
> +- if !strings.Contains(str, "X:3: unexpected unterminated raw \
quoted string") {<br> > ++ if !strings.Contains(str, "X:3: \
unterminated raw quoted string") {<br> > + \
t.Fatalf("unexpected error: %s", str)<br> > + }<br>
> + }<br>
> +diff --git a/src/text/template/parse/lex.go \
b/src/text/template/parse/lex.go<br> > +index e41373a..6784071 100644<br>
> +--- a/src/text/template/parse/lex.go<br>
> ++++ b/src/text/template/parse/lex.go<br>
> +@@ -92,15 +92,14 @@ const eof = -1<br>
> + // If the action begins "{{- " rather than "{{", then all \
space/tab/newlines<br> > + // preceding the action are trimmed; conversely if it \
ends " -}}" the<br> > + // leading spaces are trimmed. This is done \
entirely in the lexer; the<br> > +-// parser never sees it happen. We require an \
ASCII space to be<br> > +-// present to avoid ambiguity with things like \
"{{-3}}". It reads<br> > ++// parser never sees it happen. We require an \
ASCII space (' ', \t, \r, \n)<br> > ++// to be present to avoid ambiguity \
with things like "{{-3}}". It reads<br> > + // better with the space \
present anyway. For simplicity, only ASCII<br> > +-// space does the job.<br>
> ++// does the job.<br>
> + const (<br>
> +- spaceChars = " \t\r\n" // These are the space \
characters defined by Go itself.<br> > +- leftTrimMarker = "- \
" // Attached to left delimiter, trims trailing spaces from preceding \
text.<br> > +- rightTrimMarker = " -" // Attached to \
right delimiter, trims leading spaces from following text.<br> > +- \
trimMarkerLen = Pos(len(leftTrimMarker))<br> > ++ spaceChars = \
" \t\r\n" // These are the space characters defined by Go itself.<br> \
> ++ trimMarker = '-' // Attached to left/right \
delimiter, trims trailing spaces from preceding/following text.<br> > ++ \
trimMarkerLen = Pos(1 + 1) // marker plus space before or after<br> > + )<br>
> +<br>
> + // stateFn represents the state of the scanner as a function that returns the \
next state.<br> > +@@ -108,19 +107,18 @@ type stateFn func(*lexer) stateFn<br>
> +<br>
> + // lexer holds the state of the scanner.<br>
> + type lexer struct {<br>
> +- name string // the name of the input; used only \
for error reports<br> > +- input string // the string \
being scanned<br> > +- leftDelim string // start of \
action<br> > +- rightDelim string // end of action<br>
> +- trimRightDelim string // end of action with trim marker<br>
> +- emitComment bool // emit itemComment tokens.<br>
> +- pos Pos // current position in the \
input<br> > +- start Pos // start position of this \
item<br> > +- width Pos // width of last rune read \
from input<br> > +- items chan item // channel of scanned \
items<br> > +- parenDepth int // nesting depth of ( ) \
exprs<br> > +- line int // 1+number of newlines \
seen<br> > +- startLine int // start line of this \
item<br> > ++ name string // the name of the input; used \
only for error reports<br> > ++ input string // the string \
being scanned<br> > ++ leftDelim string // start of action<br>
> ++ rightDelim string // end of action<br>
> ++ emitComment bool // emit itemComment tokens.<br>
> ++ pos Pos // current position in the input<br>
> ++ start Pos // start position of this item<br>
> ++ width Pos // width of last rune read from \
input<br> > ++ items chan item // channel of scanned items<br>
> ++ parenDepth int // nesting depth of ( ) exprs<br>
> ++ line int // 1+number of newlines seen<br>
> ++ startLine int // start line of this item<br>
> + }<br>
> +<br>
> + // next returns the next rune in the input.<br>
> +@@ -213,15 +211,14 @@ func lex(name, input, left, right string, emitComment \
bool) *lexer {<br> > + right = rightDelim<br>
> + }<br>
> + l := &lexer{<br>
> +- name: name,<br>
> +- input: input,<br>
> +- leftDelim: left,<br>
> +- rightDelim: right,<br>
> +- trimRightDelim: rightTrimMarker + right,<br>
> +- emitComment: emitComment,<br>
> +- items: make(chan item),<br>
> +- line: 1,<br>
> +- startLine: 1,<br>
> ++ name: name,<br>
> ++ input: input,<br>
> ++ leftDelim: left,<br>
> ++ rightDelim: right,<br>
> ++ emitComment: emitComment,<br>
> ++ items: make(chan item),<br>
> ++ line: 1,<br>
> ++ startLine: 1,<br>
> + }<br>
> + go l.run()<br>
> + return l<br>
> +@@ -251,7 +248,7 @@ func lexText(l *lexer) stateFn {<br>
> + ldn := Pos(len(l.leftDelim))<br>
> + l.pos += Pos(x)<br>
> + trimLength := Pos(0)<br>
> +- if strings.HasPrefix(l.input[l.pos+ldn:], leftTrimMarker) \
{<br> > ++ if hasLeftTrimMarker(l.input[l.pos+ldn:]) {<br>
> + trimLength = \
rightTrimLength(l.input[l.start:l.pos])<br> > + }<br>
> + l.pos -= trimLength<br>
> +@@ -280,7 +277,7 @@ func rightTrimLength(s string) Pos {<br>
> +<br>
> + // atRightDelim reports whether the lexer is at a right delimiter, possibly \
preceded by a trim marker.<br> > + func (l *lexer) atRightDelim() (delim, \
trimSpaces bool) {<br> > +- if strings.HasPrefix(l.input[l.pos:], \
l.trimRightDelim) { // With trim marker.<br> > ++ if \
hasRightTrimMarker(l.input[l.pos:]) && \
strings.HasPrefix(l.input[l.pos+trimMarkerLen:], l.rightDelim) { // With trim \
marker.<br> > + return true, true<br>
> + }<br>
> + if strings.HasPrefix(l.input[l.pos:], l.rightDelim) { // Without \
trim marker.<br> > +@@ -297,7 +294,7 @@ func leftTrimLength(s string) Pos {<br>
> + // lexLeftDelim scans the left delimiter, which is known to be present, \
possibly with a trim marker.<br> > + func lexLeftDelim(l *lexer) stateFn {<br>
> + l.pos += Pos(len(l.leftDelim))<br>
> +- trimSpace := strings.HasPrefix(l.input[l.pos:], leftTrimMarker)<br>
> ++ trimSpace := hasLeftTrimMarker(l.input[l.pos:])<br>
> + afterMarker := Pos(0)<br>
> + if trimSpace {<br>
> + afterMarker = trimMarkerLen<br>
> +@@ -342,7 +339,7 @@ func lexComment(l *lexer) stateFn {<br>
> +<br>
> + // lexRightDelim scans the right delimiter, which is known to be present, \
possibly with a trim marker.<br> > + func lexRightDelim(l *lexer) stateFn {<br>
> +- trimSpace := strings.HasPrefix(l.input[l.pos:], rightTrimMarker)<br>
> ++ trimSpace := hasRightTrimMarker(l.input[l.pos:])<br>
> + if trimSpace {<br>
> + l.pos += trimMarkerLen<br>
> + l.ignore()<br>
> +@@ -369,7 +366,7 @@ func lexInsideAction(l *lexer) stateFn {<br>
> + return l.errorf("unclosed left paren")<br>
> + }<br>
> + switch r := l.next(); {<br>
> +- case r == eof || isEndOfLine(r):<br>
> ++ case r == eof:<br>
> + return l.errorf("unclosed action")<br>
> + case isSpace(r):<br>
> + l.backup() // Put space back in case we have " \
-}}".<br> > +@@ -439,7 +436,7 @@ func lexSpace(l *lexer) stateFn {<br>
> + }<br>
> + // Be careful about a trim-marked closing delimiter, which has a \
minus<br> > + // after a space. We know there is a space, so check for \
the '-' that might follow.<br> > +- if \
strings.HasPrefix(l.input[l.pos-1:], l.trimRightDelim) {<br> > ++ if \
hasRightTrimMarker(l.input[l.pos-1:]) && \
strings.HasPrefix(l.input[l.pos-1+trimMarkerLen:], l.rightDelim) {<br> > + \
l.backup() // Before the space.<br> > + if numSpaces == 1 \
{<br> > + return lexRightDelim // On the delim, \
so go right to that.<br> > +@@ -526,7 +523,7 @@ func lexFieldOrVariable(l *lexer, \
typ itemType) stateFn {<br> > + // day to implement arithmetic.<br>
> + func (l *lexer) atTerminator() bool {<br>
> + r := l.peek()<br>
> +- if isSpace(r) || isEndOfLine(r) {<br>
> ++ if isSpace(r) {<br>
> + return true<br>
> + }<br>
> + switch r {<br>
> +@@ -657,15 +654,18 @@ Loop:<br>
> +<br>
> + // isSpace reports whether r is a space character.<br>
> + func isSpace(r rune) bool {<br>
> +- return r == ' ' || r == '\t'<br>
> +-}<br>
> +-<br>
> +-// isEndOfLine reports whether r is an end-of-line character.<br>
> +-func isEndOfLine(r rune) bool {<br>
> +- return r == '\r' || r == '\n'<br>
> ++ return r == ' ' || r == '\t' || r == '\r' || \
r == '\n'<br> > + }<br>
> +<br>
> + // isAlphaNumeric reports whether r is an alphabetic, digit, or \
underscore.<br> > + func isAlphaNumeric(r rune) bool {<br>
> + return r == '_' || unicode.IsLetter(r) || \
unicode.IsDigit(r)<br> > + }<br>
> ++<br>
> ++func hasLeftTrimMarker(s string) bool {<br>
> ++ return len(s) >= 2 && s[0] == trimMarker && \
isSpace(rune(s[1]))<br> > ++}<br>
> ++<br>
> ++func hasRightTrimMarker(s string) bool {<br>
> ++ return len(s) >= 2 && isSpace(rune(s[0])) && s[1] \
== trimMarker<br> > ++}<br>
> +diff --git a/src/text/template/parse/lex_test.go \
b/src/text/template/parse/lex_test.go<br> > +index f6d5f28..6510eed 100644<br>
> +--- a/src/text/template/parse/lex_test.go<br>
> ++++ b/src/text/template/parse/lex_test.go<br>
> +@@ -323,7 +323,7 @@ var lexTests = []lexTest{<br>
> + tLeft,<br>
> + mkItem(itemError, "unrecognized character in \
action: U+0001"),<br> > + }},<br>
> +- {"unclosed action", "{{\n}}", []item{<br>
> ++ {"unclosed action", "{{", []item{<br>
> + tLeft,<br>
> + mkItem(itemError, "unclosed action"),<br>
> + }},<br>
> +diff --git a/src/text/template/parse/parse.go \
b/src/text/template/parse/parse.go<br> > +index 496d8bf..5e6e512 100644<br>
> +--- a/src/text/template/parse/parse.go<br>
> ++++ b/src/text/template/parse/parse.go<br>
> +@@ -24,13 +24,14 @@ type Tree struct {<br>
> + Mode Mode // parsing mode.<br>
> + text string // text parsed to create the template (or \
its parent)<br> > + // Parsing only; cleared after parse.<br>
> +- funcs []map[string]interface{}<br>
> +- lex *lexer<br>
> +- token [3]item // three-token lookahead for parser.<br>
> +- peekCount int<br>
> +- vars []string // variables defined at the moment.<br>
> +- treeSet map[string]*Tree<br>
> +- mode Mode<br>
> ++ funcs []map[string]interface{}<br>
> ++ lex *lexer<br>
> ++ token [3]item // three-token lookahead for parser.<br>
> ++ peekCount int<br>
> ++ vars []string // variables defined at the moment.<br>
> ++ treeSet map[string]*Tree<br>
> ++ actionLine int // line of left delim starting action<br>
> ++ mode Mode<br>
> + }<br>
> +<br>
> + // A mode value is a set of flags (or 0). Modes control parser behavior.<br>
> +@@ -187,6 +188,16 @@ func (t *Tree) expectOneOf(expected1, expected2 itemType, \
context string) item {<br> > +<br>
> + // unexpected complains about the token and terminates processing.<br>
> + func (t *Tree) unexpected(token item, context string) {<br>
> ++ if token.typ == itemError {<br>
> ++ extra := ""<br>
> ++ if t.actionLine != 0 && t.actionLine != \
token.line {<br> > ++ extra = fmt.Sprintf(" \
in action started at %s:%d", t.ParseName, t.actionLine)<br> > ++ \
if strings.HasSuffix(token.val, " action") {<br> > ++ \
extra = extra[len(" in action"):] // avoid "action in action"<br> \
> ++ }<br> > ++ }<br>
> ++ t.errorf("%s%s", token, extra)<br>
> ++ }<br>
> + t.errorf("unexpected %s in %s", token, context)<br>
> + }<br>
> +<br>
> +@@ -350,6 +361,8 @@ func (t *Tree) textOrAction() Node {<br>
> + case itemText:<br>
> + return t.newText(token.pos, token.val)<br>
> + case itemLeftDelim:<br>
> ++ t.actionLine = token.line<br>
> ++ defer t.clearActionLine()<br>
> + return t.action()<br>
> + case itemComment:<br>
> + return t.newComment(token.pos, token.val)<br>
> +@@ -359,6 +372,10 @@ func (t *Tree) textOrAction() Node {<br>
> + return nil<br>
> + }<br>
> +<br>
> ++func (t *Tree) clearActionLine() {<br>
> ++ t.actionLine = 0<br>
> ++}<br>
> ++<br>
> + // Action:<br>
> + // control<br>
> + // command ("|" command)*<br>
> +@@ -384,12 +401,12 @@ func (t *Tree) action() (n Node) {<br>
> + t.backup()<br>
> + token := t.peek()<br>
> + // Do not pop variables; they persist until "end".<br>
> +- return t.newAction(token.pos, token.line, \
t.pipeline("command"))<br> > ++ return t.newAction(token.pos, \
token.line, t.pipeline("command", itemRightDelim))<br> > + }<br>
> +<br>
> + // Pipeline:<br>
> + // declarations? command ('|' command)*<br>
> +-func (t *Tree) pipeline(context string) (pipe *PipeNode) {<br>
> ++func (t *Tree) pipeline(context string, end itemType) (pipe *PipeNode) {<br>
> + token := t.peekNonSpace()<br>
> + pipe = t.newPipeline(token.pos, token.line, nil)<br>
> + // Are there declarations or assignments?<br>
> +@@ -430,12 +447,9 @@ decls:<br>
> + }<br>
> + for {<br>
> + switch token := t.nextNonSpace(); token.typ {<br>
> +- case itemRightDelim, itemRightParen:<br>
> ++ case end:<br>
> + // At this point, the pipeline is \
complete<br> > + t.checkPipeline(pipe, \
context)<br> > +- if token.typ == itemRightParen \
{<br> > +- t.backup()<br>
> +- }<br>
> + return<br>
> + case itemBool, itemCharConstant, itemComplex, itemDot, \
itemField, itemIdentifier,<br> > + itemNumber, \
itemNil, itemRawString, itemString, itemVariable, itemLeftParen:<br> > +@@ -464,7 \
+478,7 @@ func (t *Tree) checkPipeline(pipe *PipeNode, context string) {<br> > \
+<br> > + func (t *Tree) parseControl(allowElseIf bool, context string) (pos Pos, \
line int, pipe *PipeNode, list, elseList *ListNode) {<br> > + defer \
t.popVars(len(t.vars))<br> > +- pipe = t.pipeline(context)<br>
> ++ pipe = t.pipeline(context, itemRightDelim)<br>
> + var next Node<br>
> + list, next = t.itemList()<br>
> + switch next.Type() {<br>
> +@@ -550,7 +564,7 @@ func (t *Tree) blockControl() Node {<br>
> +<br>
> + token := t.nextNonSpace()<br>
> + name := t.parseTemplateName(token, context)<br>
> +- pipe := t.pipeline(context)<br>
> ++ pipe := t.pipeline(context, itemRightDelim)<br>
> +<br>
> + block := New(name) // name will be updated once we know it.<br>
> + block.text = t.text<br>
> +@@ -580,7 +594,7 @@ func (t *Tree) templateControl() Node {<br>
> + if t.nextNonSpace().typ != itemRightDelim {<br>
> + t.backup()<br>
> + // Do not pop variables; they persist until \
"end".<br> > +- pipe = t.pipeline(context)<br>
> ++ pipe = t.pipeline(context, itemRightDelim)<br>
> + }<br>
> + return t.newTemplate(token.pos, token.line, name, pipe)<br>
> + }<br>
> +@@ -614,13 +628,12 @@ func (t *Tree) command() *CommandNode {<br>
> + switch token := t.next(); token.typ {<br>
> + case itemSpace:<br>
> + continue<br>
> +- case itemError:<br>
> +- t.errorf("%s", token.val)<br>
> + case itemRightDelim, itemRightParen:<br>
> + t.backup()<br>
> + case itemPipe:<br>
> ++ // nothing here; break loop below<br>
> + default:<br>
> +- t.errorf("unexpected %s in \
operand", token)<br> > ++ t.unexpected(token, \
"operand")<br> > + }<br>
> + break<br>
> + }<br>
> +@@ -675,8 +688,6 @@ func (t *Tree) operand() Node {<br>
> + // A nil return means the next item is not a term.<br>
> + func (t *Tree) term() Node {<br>
> + switch token := t.nextNonSpace(); token.typ {<br>
> +- case itemError:<br>
> +- t.errorf("%s", token.val)<br>
> + case itemIdentifier:<br>
> + if !t.hasFunction(token.val) {<br>
> + t.errorf("function %q not \
defined", token.val)<br> > +@@ -699,11 +710,7 @@ func (t *Tree) term() Node \
{<br> > + }<br>
> + return number<br>
> + case itemLeftParen:<br>
> +- pipe := t.pipeline("parenthesized \
pipeline")<br> > +- if token := t.next(); token.typ != \
itemRightParen {<br> > +- t.errorf("unclosed \
right paren: unexpected %s", token)<br> > +- }<br>
> +- return pipe<br>
> ++ return t.pipeline("parenthesized pipeline", \
itemRightParen)<br> > + case itemString, itemRawString:<br>
> + s, err := strconv.Unquote(token.val)<br>
> + if err != nil {<br>
> +diff --git a/src/text/template/parse/parse_test.go \
b/src/text/template/parse/parse_test.go<br> > +index d9c13c5..220f984 100644<br>
> +--- a/src/text/template/parse/parse_test.go<br>
> ++++ b/src/text/template/parse/parse_test.go<br>
> +@@ -250,6 +250,13 @@ var parseTests = []parseTest{<br>
> + {"comment trim left and right", "x \r\n\t{{- /* */ \
-}}\n\n\ty", noError, `"x""y"`},<br> > + \
{"block definition", `{{block "foo" .}}hello{{end}}`, \
noError,<br> > + `{{template "foo" .}}`},<br>
> ++<br>
> ++ {"newline in assignment", "{{ $x \n := \n 1 \n \
}}", noError, "{{$x := 1}}"},<br> > ++ {"newline in \
empty action", "{{\n}}", hasError, "{{\n}}"},<br> > ++ \
{"newline in pipeline", "{{\n\"x\"\n|\nprintf\n}}", \
noError, `{{"x" | printf}}`},<br> > ++ {"newline in \
comment", "{{/*\nhello\n*/}}", noError, ""},<br> > ++ \
{"newline in comment", "{{-\n/*\nhello\n*/\n-}}", noError, \
""},<br> > ++<br>
> + // Errors.<br>
> + {"unclosed action", "hello{{range", hasError, \
""},<br> > + {"unmatched end", "{{end}}", \
hasError, ""},<br> > +@@ -426,23 +433,38 @@ var errorTests = \
[]parseTest{<br> > + // Check line numbers are accurate.<br>
> + {"unclosed1",<br>
> + "line1\n{{",<br>
> +- hasError, `unclosed1:2: unexpected unclosed action in \
command`},<br> > ++ hasError, `unclosed1:2: unclosed \
action`},<br> > + {"unclosed2",<br>
> + "line1\n{{define `x`}}line2\n{{",<br>
> +- hasError, `unclosed2:3: unexpected unclosed action in \
command`},<br> > ++ hasError, `unclosed2:3: unclosed \
action`},<br> > ++ {"unclosed3",<br>
> ++ \
"line1\n{{\"x\"\n\"y\"\n",<br> > ++ \
hasError, `unclosed3:4: unclosed action started at unclosed3:2`},<br> > ++ \
{"unclosed4",<br> > ++ "{{\n\n\n\n\n",<br>
> ++ hasError, `unclosed4:6: unclosed action started at \
unclosed4:1`},<br> > ++ {"var1",<br>
> ++ "line1\n{{\nx\n}}",<br>
> ++ hasError, `var1:3: function "x" not \
defined`},<br> > + // Specific errors.<br>
> + {"function",<br>
> + "{{foo}}",<br>
> + hasError, `function "foo" not defined`},<br>
> +- {"comment",<br>
> ++ {"comment1",<br>
> + "{{/*}}",<br>
> +- hasError, `unclosed comment`},<br>
> ++ hasError, `comment1:1: unclosed comment`},<br>
> ++ {"comment2",<br>
> ++ "{{/*\nhello\n}}",<br>
> ++ hasError, `comment2:1: unclosed comment`},<br>
> + {"lparen",<br>
> + "{{.X (1 2 3}}",<br>
> + hasError, `unclosed left paren`},<br>
> + {"rparen",<br>
> +- "{{.X 1 2 3)}}",<br>
> +- hasError, `unexpected ")"`},<br>
> ++ "{{.X 1 2 3 ) }}",<br>
> ++ hasError, `unexpected ")" in command`},<br>
> ++ {"rparen2",<br>
> ++ "{{(.X 1 2 3",<br>
> ++ hasError, `unclosed action`},<br>
> + {"space",<br>
> + "{{`x`3}}",<br>
> + hasError, `in operand`},<br>
> +@@ -488,7 +510,7 @@ var errorTests = []parseTest{<br>
> + hasError, `missing value for parenthesized \
pipeline`},<br> > + {"multilinerawstring",<br>
> + "{{ $v := `\n` }} {{",<br>
> +- hasError, `multilinerawstring:2: unexpected unclosed \
action`},<br> > ++ hasError, `multilinerawstring:2: unclosed \
action`},<br> > + {"rangeundefvar",<br>
> + "{{range $k}}{{end}}",<br>
> + hasError, `undefined variable`},<br>
> +--<br>
> +2.7.4<br>
> diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538_5.patch \
b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538_5.patch<br> > new file mode \
100644<br> > index 0000000000..fc38929648<br>
> --- /dev/null<br>
> +++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538_5.patch<br>
> @@ -0,0 +1,585 @@<br>
> +From e0e6bca6ddc0e6d9fa3a5b644af9b446924fbf83 Mon Sep 17 00:00:00 2001<br>
> +From: Russ Cox <<a href="mailto:rsc@golang.org" \
target="_blank">rsc@golang.org</a>><br> > +Date: Thu, 20 May 2021 12:46:33 \
-0400<br> > +Subject: [PATCH 5/6] html/template, text/template: implement break \
and<br> > + continue for range loops<br>
> +<br>
> +Break and continue for range loops was accepted as a proposal in June 2017.<br>
> +It was implemented in CL 66410 (Oct 2017)<br>
> +but then rolled back in CL 92155 (Feb 2018)<br>
> +because html/template changes had not been implemented.<br>
> +<br>
> +This CL reimplements break and continue in text/template<br>
> +and then adds support for them in html/template as well.<br>
> +<br>
> +Fixes #20531.<br>
> +<br>
> +Change-Id: I05330482a976f1c078b4b49c2287bd9031bb7616<br>
> +Reviewed-on: <a href="https://go-review.googlesource.com/c/go/+/321491" \
rel="noreferrer" target="_blank">https://go-review.googlesource.com/c/go/+/321491</a><br>
> +Trust: Russ Cox <<a href="mailto:rsc@golang.org" \
target="_blank">rsc@golang.org</a>><br> > +Run-TryBot: Russ Cox <<a \
href="mailto:rsc@golang.org" target="_blank">rsc@golang.org</a>><br> > \
+TryBot-Result: Go Bot <<a href="mailto:gobot@golang.org" \
target="_blank">gobot@golang.org</a>><br> > +Reviewed-by: Rob Pike <<a \
href="mailto:r@golang.org" target="_blank">r@golang.org</a>><br> > +<br>
> +Dependency Patch #5<br>
> +<br>
> +Upstream-Status: Backport from <a \
href="https://github.com/golang/go/commit/d0dd26a88c019d54f22463daae81e785f5867565" \
rel="noreferrer" target="_blank">https://github.com/golang/go/commit/d0dd26a88c019d54f22463daae81e785f5867565</a><br>
> +CVE: CVE-2023-24538<br>
> +Signed-off-by: Shubham Kulkarni <<a href="mailto:skulkarni@mvista.com" \
target="_blank">skulkarni@mvista.com</a>><br> > +---<br>
> + src/html/template/context.go | 4 ++<br>
> + src/html/template/escape.go | 71 \
++++++++++++++++++++++++++++++++++-<br> > + src/html/template/escape_test.go \
| 24 ++++++++++++<br> > + src/text/template/doc.go | 8 \
++++<br> > + src/text/template/exec.go | 24 +++++++++++-<br>
> + src/text/template/exec_test.go | 2 +<br>
> + src/text/template/parse/lex.go | 13 ++++++-<br>
> + src/text/template/parse/lex_test.go | 2 +<br>
> + src/text/template/parse/node.go | 36 ++++++++++++++++++<br>
> + src/text/template/parse/parse.go | 42 ++++++++++++++++++++-<br>
> + src/text/template/parse/parse_test.go | 8 ++++<br>
> + 11 files changed, 230 insertions(+), 4 deletions(-)<br>
> +<br>
> +diff --git a/src/html/template/context.go b/src/html/template/context.go<br>
> +index f7d4849..aaa7d08 100644<br>
> +--- a/src/html/template/context.go<br>
> ++++ b/src/html/template/context.go<br>
> +@@ -6,6 +6,7 @@ package template<br>
> +<br>
> + import (<br>
> + "fmt"<br>
> ++ "text/template/parse"<br>
> + )<br>
> +<br>
> + // context describes the state an HTML parser must be in when it reaches \
the<br> > +@@ -22,6 +23,7 @@ type context struct {<br>
> + jsCtx jsCtx<br>
> + attr attr<br>
> + element element<br>
> ++ n parse.Node // for range break/continue<br>
> + err *Error<br>
> + }<br>
> +<br>
> +@@ -141,6 +143,8 @@ const (<br>
> + // stateError is an infectious error state outside any valid<br>
> + // HTML/CSS/JS construct.<br>
> + stateError<br>
> ++ // stateDead marks unreachable code after a {{break}} or \
{{continue}}.<br> > ++ stateDead<br>
> + )<br>
> +<br>
> + // isComment is true for any state that contains content meant for \
template<br> > +diff --git a/src/html/template/escape.go \
b/src/html/template/escape.go<br> > +index 8739735..6dea79c 100644<br>
> +--- a/src/html/template/escape.go<br>
> ++++ b/src/html/template/escape.go<br>
> +@@ -97,6 +97,15 @@ type escaper struct {<br>
> + actionNodeEdits map[*parse.ActionNode][]string<br>
> + templateNodeEdits map[*parse.TemplateNode]string<br>
> + textNodeEdits map[*parse.TextNode][]byte<br>
> ++ // rangeContext holds context about the current range loop.<br>
> ++ rangeContext *rangeContext<br>
> ++}<br>
> ++<br>
> ++// rangeContext holds information about the current range loop.<br>
> ++type rangeContext struct {<br>
> ++ outer *rangeContext // outer loop<br>
> ++ breaks []context // context at each break action<br>
> ++ continues []context // context at each continue action<br>
> + }<br>
> +<br>
> + // makeEscaper creates a blank escaper for the given set.<br>
> +@@ -109,6 +118,7 @@ func makeEscaper(n *nameSpace) escaper {<br>
> + map[*parse.ActionNode][]string{},<br>
> + map[*parse.TemplateNode]string{},<br>
> + map[*parse.TextNode][]byte{},<br>
> ++ nil,<br>
> + }<br>
> + }<br>
> +<br>
> +@@ -124,8 +134,16 @@ func (e *escaper) escape(c context, n parse.Node) context \
{<br> > + switch n := n.(type) {<br>
> + case *parse.ActionNode:<br>
> + return e.escapeAction(c, n)<br>
> ++ case *parse.BreakNode:<br>
> ++ c.n = n<br>
> ++ e.rangeContext.breaks = append(e.rangeContext.breaks, \
c)<br> > ++ return context{state: stateDead}<br>
> + case *parse.CommentNode:<br>
> + return c<br>
> ++ case *parse.ContinueNode:<br>
> ++ c.n = n<br>
> ++ e.rangeContext.continues = append(e.rangeContext.breaks, \
c)<br> > ++ return context{state: stateDead}<br>
> + case *parse.IfNode:<br>
> + return e.escapeBranch(c, &n.BranchNode, \
"if")<br> > + case *parse.ListNode:<br>
> +@@ -427,6 +445,12 @@ func join(a, b context, node parse.Node, nodeName string) \
context {<br> > + if b.state == stateError {<br>
> + return b<br>
> + }<br>
> ++ if a.state == stateDead {<br>
> ++ return b<br>
> ++ }<br>
> ++ if b.state == stateDead {<br>
> ++ return a<br>
> ++ }<br>
> + if a.eq(b) {<br>
> + return a<br>
> + }<br>
> +@@ -466,14 +490,27 @@ func join(a, b context, node parse.Node, nodeName string) \
context {<br> > +<br>
> + // escapeBranch escapes a branch template node: "if", \
"range" and "with".<br> > + func (e *escaper) escapeBranch(c \
context, n *parse.BranchNode, nodeName string) context {<br> > ++ if \
nodeName == "range" {<br> > ++ e.rangeContext = \
&rangeContext{outer: e.rangeContext}<br> > ++ }<br>
> + c0 := e.escapeList(c, n.List)<br>
> +- if nodeName == "range" && c0.state != stateError \
{<br> > ++ if nodeName == "range" {<br>
> ++ if c0.state != stateError {<br>
> ++ c0 = joinRange(c0, e.rangeContext)<br>
> ++ }<br>
> ++ e.rangeContext = e.rangeContext.outer<br>
> ++ if c0.state == stateError {<br>
> ++ return c0<br>
> ++ }<br>
> ++<br>
> + // The "true" branch of a "range" \
node can execute multiple times.<br> > + // We check that \
executing n.List once results in the same context<br> > + // \
as executing n.List twice.<br> > ++ e.rangeContext = \
&rangeContext{outer: e.rangeContext}<br> > + c1, _ := \
e.escapeListConditionally(c0, n.List, nil)<br> > + c0 = \
join(c0, c1, n, nodeName)<br> > + if c0.state == stateError \
{<br> > ++ e.rangeContext = \
e.rangeContext.outer<br> > + // Make clear that \
this is a problem on loop re-entry<br> > + // \
since developers tend to overlook that branch when<br> > + \
// debugging templates.<br> > +@@ -481,11 +518,39 @@ func (e *escaper) \
escapeBranch(c context, n *parse.BranchNode, nodeName string)<br> > + \
c0.err.Description = "on range loop re-entry: " + c0.err.Description<br> \
> + return c0<br> > + \
}<br> > ++ c0 = joinRange(c0, e.rangeContext)<br>
> ++ e.rangeContext = e.rangeContext.outer<br>
> ++ if c0.state == stateError {<br>
> ++ return c0<br>
> ++ }<br>
> + }<br>
> + c1 := e.escapeList(c, n.ElseList)<br>
> + return join(c0, c1, n, nodeName)<br>
> + }<br>
> +<br>
> ++func joinRange(c0 context, rc *rangeContext) context {<br>
> ++ // Merge contexts at break and continue statements into overall body \
context.<br> > ++ // In theory we could treat breaks differently from \
continues, but for now it is<br> > ++ // enough to treat them both as \
going back to the start of the loop (which may then stop).<br> > ++ for _, \
c := range rc.breaks {<br> > ++ c0 = join(c0, c, c.n, \
"range")<br> > ++ if c0.state == stateError {<br>
> ++ c0.err.Line = c.n.(*parse.BreakNode).Line<br>
> ++ c0.err.Description = "at range loop \
break: " + c0.err.Description<br> > ++ return \
c0<br> > ++ }<br>
> ++ }<br>
> ++ for _, c := range rc.continues {<br>
> ++ c0 = join(c0, c, c.n, "range")<br>
> ++ if c0.state == stateError {<br>
> ++ c0.err.Line = \
c.n.(*parse.ContinueNode).Line<br> > ++ \
c0.err.Description = "at range loop continue: " + c0.err.Description<br> \
> ++ return c0<br> > ++ \
}<br> > ++ }<br>
> ++ return c0<br>
> ++}<br>
> ++<br>
> + // escapeList escapes a list template node.<br>
> + func (e *escaper) escapeList(c context, n *parse.ListNode) context {<br>
> + if n == nil {<br>
> +@@ -493,6 +558,9 @@ func (e *escaper) escapeList(c context, n *parse.ListNode) \
context {<br> > + }<br>
> + for _, m := range n.Nodes {<br>
> + c = e.escape(c, m)<br>
> ++ if c.state == stateDead {<br>
> ++ break<br>
> ++ }<br>
> + }<br>
> + return c<br>
> + }<br>
> +@@ -503,6 +571,7 @@ func (e *escaper) escapeList(c context, n *parse.ListNode) \
context {<br> > + // which is the same as whether e was updated.<br>
> + func (e *escaper) escapeListConditionally(c context, n *parse.ListNode, filter \
func(*escaper, context) bool) (context, bool) {<br> > + e1 := \
makeEscaper(e.ns)<br> > ++ e1.rangeContext = e.rangeContext<br>
> + // Make type inferences available to f.<br>
> + for k, v := range e.output {<br>
> + e1.output[k] = v<br>
> +diff --git a/src/html/template/escape_test.go \
b/src/html/template/escape_test.go<br> > +index c709660..fa2b84a 100644<br>
> +--- a/src/html/template/escape_test.go<br>
> ++++ b/src/html/template/escape_test.go<br>
> +@@ -920,6 +920,22 @@ func TestErrors(t *testing.T) {<br>
> + "<a href='/foo?{{range \
.Items}}&{{.K}}={{.V}}{{end}}'>",<br> > + \
"",<br> > + },<br>
> ++ {<br>
> ++ "{{range .Items}}<a{{if \
.X}}{{end}}>{{end}}",<br> > ++ \
"",<br> > ++ },<br>
> ++ {<br>
> ++ "{{range .Items}}<a{{if \
.X}}{{end}}>{{continue}}{{end}}",<br> > ++ \
"",<br> > ++ },<br>
> ++ {<br>
> ++ "{{range .Items}}<a{{if \
.X}}{{end}}>{{break}}{{end}}",<br> > ++ \
"",<br> > ++ },<br>
> ++ {<br>
> ++ "{{range .Items}}<a{{if \
.X}}{{end}}>{{if .X}}{{break}}{{end}}{{end}}",<br> > ++ \
"",<br> > ++ },<br>
> + // Error cases.<br>
> + {<br>
> + "{{if .Cond}}<a{{end}}",<br>
> +@@ -956,6 +972,14 @@ func TestErrors(t *testing.T) {<br>
> + "z:2:8: on range loop re-entry: \
{{range}} branches",<br> > + },<br>
> + {<br>
> ++ "{{range .Items}}<a{{if \
.X}}{{break}}{{end}}>{{end}}",<br> > ++ \
"z:1:29: at range loop break: {{range}} branches end in different \
contexts",<br> > ++ },<br>
> ++ {<br>
> ++ "{{range .Items}}<a{{if \
.X}}{{continue}}{{end}}>{{end}}",<br> > ++ \
"z:1:29: at range loop continue: {{range}} branches end in different \
contexts",<br> > ++ },<br>
> ++ {<br>
> + "<a b=1 c={{.H}}",<br>
> + "z: ends in a non-text context: \
{stateAttr delimSpaceOrTagEnd",<br> > + },<br>
> +diff --git a/src/text/template/doc.go b/src/text/template/doc.go<br>
> +index 7b30294..0228b15 100644<br>
> +--- a/src/text/template/doc.go<br>
> ++++ b/src/text/template/doc.go<br>
> +@@ -112,6 +112,14 @@ data, defined in detail in the corresponding sections that \
follow.<br> > + T0 is executed; otherwise, dot is set to the \
successive elements<br> > + of the array, slice, or map and \
T1 is executed.<br> > +<br>
> ++ {{break}}<br>
> ++ The innermost {{range pipeline}} loop is ended early, \
stopping the<br> > ++ current iteration and bypassing all \
remaining iterations.<br> > ++<br>
> ++ {{continue}}<br>
> ++ The current iteration of the innermost {{range pipeline}} \
loop is<br> > ++ stopped, and the loop starts the next \
iteration.<br> > ++<br>
> + {{template "name"}}<br>
> + The template with the specified name is executed with \
nil data.<br> > +<br>
> +diff --git a/src/text/template/exec.go b/src/text/template/exec.go<br>
> +index 7ac5175..6cb140a 100644<br>
> +--- a/src/text/template/exec.go<br>
> ++++ b/src/text/template/exec.go<br>
> +@@ -5,6 +5,7 @@<br>
> + package template<br>
> +<br>
> + import (<br>
> ++ "errors"<br>
> + "fmt"<br>
> + "internal/fmtsort"<br>
> + "io"<br>
> +@@ -244,6 +245,12 @@ func (t *Template) DefinedTemplates() string {<br>
> + return b.String()<br>
> + }<br>
> +<br>
> ++// Sentinel errors for use with panic to signal early exits from range \
loops.<br> > ++var (<br>
> ++ walkBreak = errors.New("break")<br>
> ++ walkContinue = errors.New("continue")<br>
> ++)<br>
> ++<br>
> + // Walk functions step through the major pieces of the template structure,<br>
> + // generating output as they go.<br>
> + func (s *state) walk(dot reflect.Value, node parse.Node) {<br>
> +@@ -256,7 +263,11 @@ func (s *state) walk(dot reflect.Value, node parse.Node) \
{<br> > + if len(node.Pipe.Decl) == 0 {<br>
> + s.printValue(node, val)<br>
> + }<br>
> ++ case *parse.BreakNode:<br>
> ++ panic(walkBreak)<br>
> + case *parse.CommentNode:<br>
> ++ case *parse.ContinueNode:<br>
> ++ panic(walkContinue)<br>
> + case *parse.IfNode:<br>
> + s.walkIfOrWith(parse.NodeIf, dot, node.Pipe, node.List, \
node.ElseList)<br> > + case *parse.ListNode:<br>
> +@@ -335,6 +346,11 @@ func isTrue(val reflect.Value) (truth, ok bool) {<br>
> +<br>
> + func (s *state) walkRange(dot reflect.Value, r *parse.RangeNode) {<br>
> + <a href="http://s.at" rel="noreferrer" \
target="_blank">s.at</a>(r)<br> > ++ defer func() {<br>
> ++ if r := recover(); r != nil && r != walkBreak \
{<br> > ++ panic(r)<br>
> ++ }<br>
> ++ }()<br>
> + defer s.pop(s.mark())<br>
> + val, _ := indirect(s.evalPipeline(dot, r.Pipe))<br>
> + // mark top of stack before any variables in the body are \
pushed.<br> > +@@ -348,8 +364,14 @@ func (s *state) walkRange(dot reflect.Value, r \
*parse.RangeNode) {<br> > + if len(r.Pipe.Decl) > 1 {<br>
> + s.setTopVar(2, index)<br>
> + }<br>
> ++ defer s.pop(mark)<br>
> ++ defer func() {<br>
> ++ // Consume panic(walkContinue)<br>
> ++ if r := recover(); r != nil && r != \
walkContinue {<br> > ++ panic(r)<br>
> ++ }<br>
> ++ }()<br>
> + s.walk(elem, r.List)<br>
> +- s.pop(mark)<br>
> + }<br>
> + switch val.Kind() {<br>
> + case reflect.Array, reflect.Slice:<br>
> +diff --git a/src/text/template/exec_test.go \
b/src/text/template/exec_test.go<br> > +index 3309b33..a639f44 100644<br>
> +--- a/src/text/template/exec_test.go<br>
> ++++ b/src/text/template/exec_test.go<br>
> +@@ -563,6 +563,8 @@ var execTests = []execTest{<br>
> + {"range empty no else", "{{range \
.SIEmpty}}-{{.}}-{{end}}", "", tVal, true},<br> > + \
{"range []int else", "{{range .SI}}-{{.}}-{{else}}EMPTY{{end}}", \
"-3--4--5-", tVal, true},<br> > + {"range empty \
else", "{{range .SIEmpty}}-{{.}}-{{else}}EMPTY{{end}}", \
"EMPTY", tVal, true},<br> > ++ {"range []int break \
else", "{{range .SI}}-{{.}}-{{break}}NOTREACHED{{else}}EMPTY{{end}}", \
"-3-", tVal, true},<br> > ++ {"range []int continue \
else", "{{range \
.SI}}-{{.}}-{{continue}}NOTREACHED{{else}}EMPTY{{end}}", "-3--4--5-", \
tVal, true},<br> > + {"range []bool", "{{range \
.SB}}-{{.}}-{{end}}", "-true--false-", tVal, true},<br> > + \
{"range []int method", "{{range .SI | .MAdd .I}}-{{.}}-{{end}}", \
"-20--21--22-", tVal, true},<br> > + {"range map", \
"{{range .MSI}}-{{.}}-{{end}}", "-1--3--2-", tVal, true},<br> \
> +diff --git a/src/text/template/parse/lex.go \
b/src/text/template/parse/lex.go<br> > +index 6784071..95e3377 100644<br>
> +--- a/src/text/template/parse/lex.go<br>
> ++++ b/src/text/template/parse/lex.go<br>
> +@@ -62,6 +62,8 @@ const (<br>
> + // Keywords appear after all the rest.<br>
> + itemKeyword // used only to delimit the keywords<br>
> + itemBlock // block keyword<br>
> ++ itemBreak // break keyword<br>
> ++ itemContinue // continue keyword<br>
> + itemDot // the cursor, spelled '.'<br>
> + itemDefine // define keyword<br>
> + itemElse // else keyword<br>
> +@@ -76,6 +78,8 @@ const (<br>
> + var key = map[string]itemType{<br>
> + ".": itemDot,<br>
> + "block": itemBlock,<br>
> ++ "break": itemBreak,<br>
> ++ "continue": itemContinue,<br>
> + "define": itemDefine,<br>
> + "else": itemElse,<br>
> + "end": itemEnd,<br>
> +@@ -119,6 +123,8 @@ type lexer struct {<br>
> + parenDepth int // nesting depth of ( ) exprs<br>
> + line int // 1+number of newlines seen<br>
> + startLine int // start line of this item<br>
> ++ breakOK bool // break keyword allowed<br>
> ++ continueOK bool // continue keyword allowed<br>
> + }<br>
> +<br>
> + // next returns the next rune in the input.<br>
> +@@ -461,7 +467,12 @@ Loop:<br>
> + }<br>
> + switch {<br>
> + case key[word] > itemKeyword:<br>
> +- l.emit(key[word])<br>
> ++ item := key[word]<br>
> ++ if item == itemBreak && \
!l.breakOK || item == itemContinue && !l.continueOK {<br> > ++ \
l.emit(itemIdentifier)<br> > ++ } else \
{<br> > ++ \
l.emit(item)<br> > ++ }<br>
> + case word[0] == '.':<br>
> + l.emit(itemField)<br>
> + case word == "true", word == \
"false":<br> > +diff --git a/src/text/template/parse/lex_test.go \
b/src/text/template/parse/lex_test.go<br> > +index 6510eed..df6aabf 100644<br>
> +--- a/src/text/template/parse/lex_test.go<br>
> ++++ b/src/text/template/parse/lex_test.go<br>
> +@@ -35,6 +35,8 @@ var itemName = map[itemType]string{<br>
> + // keywords<br>
> + itemDot: ".",<br>
> + itemBlock: "block",<br>
> ++ itemBreak: "break",<br>
> ++ itemContinue: "continue",<br>
> + itemDefine: "define",<br>
> + itemElse: "else",<br>
> + itemIf: "if",<br>
> +diff --git a/src/text/template/parse/node.go \
b/src/text/template/parse/node.go<br> > +index a9dad5e..c398da0 100644<br>
> +--- a/src/text/template/parse/node.go<br>
> ++++ b/src/text/template/parse/node.go<br>
> +@@ -71,6 +71,8 @@ const (<br>
> + NodeVariable // A $ variable.<br>
> + NodeWith // A with action.<br>
> + NodeComment // A comment.<br>
> ++ NodeBreak // A break action.<br>
> ++ NodeContinue // A continue action.<br>
> + )<br>
> +<br>
> + // Nodes.<br>
> +@@ -907,6 +909,40 @@ func (i *IfNode) Copy() Node {<br>
> + return i.tr.newIf(i.Pos, i.Line, i.Pipe.CopyPipe(), \
i.List.CopyList(), i.ElseList.CopyList())<br> > + }<br>
> +<br>
> ++// BreakNode represents a {{break}} action.<br>
> ++type BreakNode struct {<br>
> ++ tr *Tree<br>
> ++ NodeType<br>
> ++ Pos<br>
> ++ Line int<br>
> ++}<br>
> ++<br>
> ++func (t *Tree) newBreak(pos Pos, line int) *BreakNode {<br>
> ++ return &BreakNode{tr: t, NodeType: NodeBreak, Pos: pos, Line: \
line}<br> > ++}<br>
> ++<br>
> ++func (b *BreakNode) Copy() Node { return \
b.tr.newBreak(b.Pos, b.Line) }<br> > ++func (b *BreakNode) String() string \
{ return "{{break}}" }<br> > ++func (b *BreakNode) tree() *Tree \
{ return <a href="http://b.tr" rel="noreferrer" target="_blank">b.tr</a> }<br> > \
++func (b *BreakNode) writeTo(sb *strings.Builder) { \
sb.WriteString("{{break}}") }<br> > ++<br>
> ++// ContinueNode represents a {{continue}} action.<br>
> ++type ContinueNode struct {<br>
> ++ tr *Tree<br>
> ++ NodeType<br>
> ++ Pos<br>
> ++ Line int<br>
> ++}<br>
> ++<br>
> ++func (t *Tree) newContinue(pos Pos, line int) *ContinueNode {<br>
> ++ return &ContinueNode{tr: t, NodeType: NodeContinue, Pos: pos, \
Line: line}<br> > ++}<br>
> ++<br>
> ++func (c *ContinueNode) Copy() Node { return \
c.tr.newContinue(c.Pos, c.Line) }<br> > ++func (c *ContinueNode) String() string \
{ return "{{continue}}" }<br> > ++func (c *ContinueNode) tree() *Tree \
{ return <a href="http://c.tr" rel="noreferrer" target="_blank">c.tr</a> }<br> > \
++func (c *ContinueNode) writeTo(sb *strings.Builder) { \
sb.WriteString("{{continue}}") }<br> > ++<br>
> + // RangeNode represents a {{range}} action and its commands.<br>
> + type RangeNode struct {<br>
> + BranchNode<br>
> +diff --git a/src/text/template/parse/parse.go \
b/src/text/template/parse/parse.go<br> > +index 5e6e512..7f78b56 100644<br>
> +--- a/src/text/template/parse/parse.go<br>
> ++++ b/src/text/template/parse/parse.go<br>
> +@@ -31,6 +31,7 @@ type Tree struct {<br>
> + vars []string // variables defined at the moment.<br>
> + treeSet map[string]*Tree<br>
> + actionLine int // line of left delim starting action<br>
> ++ rangeDepth int<br>
> + mode Mode<br>
> + }<br>
> +<br>
> +@@ -223,6 +224,8 @@ func (t *Tree) startParse(funcs []map[string]interface{}, \
lex *lexer, treeSet ma<br> > + t.vars = []string{"$"}<br>
> + t.funcs = funcs<br>
> + t.treeSet = treeSet<br>
> ++ lex.breakOK = !t.hasFunction("break")<br>
> ++ lex.continueOK = !t.hasFunction("continue")<br>
> + }<br>
> +<br>
> + // stopParse terminates parsing.<br>
> +@@ -385,6 +388,10 @@ func (t *Tree) action() (n Node) {<br>
> + switch token := t.nextNonSpace(); token.typ {<br>
> + case itemBlock:<br>
> + return t.blockControl()<br>
> ++ case itemBreak:<br>
> ++ return t.breakControl(token.pos, token.line)<br>
> ++ case itemContinue:<br>
> ++ return t.continueControl(token.pos, token.line)<br>
> + case itemElse:<br>
> + return t.elseControl()<br>
> + case itemEnd:<br>
> +@@ -404,6 +411,32 @@ func (t *Tree) action() (n Node) {<br>
> + return t.newAction(token.pos, token.line, \
t.pipeline("command", itemRightDelim))<br> > + }<br>
> +<br>
> ++// Break:<br>
> ++// {{break}}<br>
> ++// Break keyword is past.<br>
> ++func (t *Tree) breakControl(pos Pos, line int) Node {<br>
> ++ if token := t.next(); token.typ != itemRightDelim {<br>
> ++ t.unexpected(token, "in {{break}}")<br>
> ++ }<br>
> ++ if t.rangeDepth == 0 {<br>
> ++ t.errorf("{{break}} outside {{range}}")<br>
> ++ }<br>
> ++ return t.newBreak(pos, line)<br>
> ++}<br>
> ++<br>
> ++// Continue:<br>
> ++// {{continue}}<br>
> ++// Continue keyword is past.<br>
> ++func (t *Tree) continueControl(pos Pos, line int) Node {<br>
> ++ if token := t.next(); token.typ != itemRightDelim {<br>
> ++ t.unexpected(token, "in {{continue}}")<br>
> ++ }<br>
> ++ if t.rangeDepth == 0 {<br>
> ++ t.errorf("{{continue}} outside {{range}}")<br>
> ++ }<br>
> ++ return t.newContinue(pos, line)<br>
> ++}<br>
> ++<br>
> + // Pipeline:<br>
> + // declarations? command ('|' command)*<br>
> + func (t *Tree) pipeline(context string, end itemType) (pipe *PipeNode) {<br>
> +@@ -479,8 +512,14 @@ func (t *Tree) checkPipeline(pipe *PipeNode, context \
string) {<br> > + func (t *Tree) parseControl(allowElseIf bool, context string) \
(pos Pos, line int, pipe *PipeNode, list, elseList *ListNode) {<br> > + \
defer t.popVars(len(t.vars))<br> > + pipe = t.pipeline(context, \
itemRightDelim)<br> > ++ if context == "range" {<br>
> ++ t.rangeDepth++<br>
> ++ }<br>
> + var next Node<br>
> + list, next = t.itemList()<br>
> ++ if context == "range" {<br>
> ++ t.rangeDepth--<br>
> ++ }<br>
> + switch next.Type() {<br>
> + case nodeEnd: //done<br>
> + case nodeElse:<br>
> +@@ -522,7 +561,8 @@ func (t *Tree) ifControl() Node {<br>
> + // {{range pipeline}} itemList {{else}} itemList {{end}}<br>
> + // Range keyword is past.<br>
> + func (t *Tree) rangeControl() Node {<br>
> +- return t.newRange(t.parseControl(false, "range"))<br>
> ++ r := t.newRange(t.parseControl(false, "range"))<br>
> ++ return r<br>
> + }<br>
> +<br>
> + // With:<br>
> +diff --git a/src/text/template/parse/parse_test.go \
b/src/text/template/parse/parse_test.go<br> > +index 220f984..ba45636 100644<br>
> +--- a/src/text/template/parse/parse_test.go<br>
> ++++ b/src/text/template/parse/parse_test.go<br>
> +@@ -230,6 +230,10 @@ var parseTests = []parseTest{<br>
> + `{{range $x := .SI}}{{.}}{{end}}`},<br>
> + {"range 2 vars", "{{range $x, $y := \
.SI}}{{.}}{{end}}", noError,<br> > + `{{range $x, $y := \
.SI}}{{.}}{{end}}`},<br> > ++ {"range with break", "{{range \
.SI}}{{.}}{{break}}{{end}}", noError,<br> > ++ `{{range \
.SI}}{{.}}{{break}}{{end}}`},<br> > ++ {"range with continue", \
"{{range .SI}}{{.}}{{continue}}{{end}}", noError,<br> > ++ \
`{{range .SI}}{{.}}{{continue}}{{end}}`},<br> > + \
{"constants", "{{range .SI 1 -3.2i true false 'a' \
nil}}{{end}}", noError,<br> > + `{{range .SI 1 -3.2i \
true false 'a' nil}}{{end}}`},<br> > + {"template", \
"{{template `x`}}", noError,<br> > +@@ -279,6 +283,10 @@ var parseTests \
= []parseTest{<br> > + {"adjacent args", "{{printf \
3`x`}}", hasError, ""},<br> > + {"adjacent args with \
.", "{{printf `x`.}}", hasError, ""},<br> > + \
{"extra end after if", "{{if .X}}a{{else if .Y}}b{{end}}{{end}}", \
hasError, ""},<br> > ++ {"break outside range", \
"{{range .}}{{end}} {{break}}", hasError, ""},<br> > ++ \
{"continue outside range", "{{range .}}{{end}} {{continue}}", \
hasError, ""},<br> > ++ {"break in range else", \
"{{range .}}{{else}}{{break}}{{end}}", hasError, ""},<br> > ++ \
{"continue in range else", "{{range \
.}}{{else}}{{continue}}{{end}}", hasError, ""},<br> > + \
// Other kinds of assignments and operators aren't available yet.<br> > + \
{"bug0a", "{{$x := 0}}{{$x}}", noError, "{{$x := \
0}}{{$x}}"},<br> > + {"bug0b", "{{$x += \
1}}{{$x}}", hasError, ""},<br> > +--<br>
> +2.7.4<br>
> diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-3.patch \
b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538_6.patch<br> > similarity index \
53%<br> > rename from meta/recipes-devtools/go/go-1.14/CVE-2023-24538-3.patch<br>
> rename to meta/recipes-devtools/go/go-1.14/CVE-2023-24538_6.patch<br>
> index d5bb33e091..baf400b891 100644<br>
> --- a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-3.patch<br>
> +++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538_6.patch<br>
> @@ -1,7 +1,7 @@<br>
> From 16f4882984569f179d73967c9eee679bb9b098c5 Mon Sep 17 00:00:00 2001<br>
> From: Roland Shoemaker <<a href="mailto:bracewell@google.com" \
target="_blank">bracewell@google.com</a>><br> > Date: Mon, 20 Mar 2023 \
11:01:13 -0700<br> > -Subject: [PATCH 3/3] html/template: disallow actions in JS \
template literals<br> > +Subject: [PATCH 6/6] html/template: disallow actions in \
JS template literals<br> ><br>
> ECMAScript 6 introduced template literals[0][1] which are delimited with<br>
> backticks. These need to be escaped in a similar fashion to the<br>
> @@ -52,12 +52,15 @@ CVE: CVE-2023-24538<br>
> Signed-off-by: Shubham Kulkarni <<a href="mailto:skulkarni@mvista.com" \
target="_blank">skulkarni@mvista.com</a>><br> > ---<br>
> src/html/template/context.go | 2 ++<br>
> - src/html/template/error.go | 13 +++++++++++++<br>
> - src/html/template/escape.go | 11 +++++++++++<br>
> + src/html/template/error.go | 13 ++++++++<br>
> + src/html/template/escape.go | 11 +++++++<br>
> + src/html/template/escape_test.go | 66 \
++++++++++++++++++++++-----------------<br> > src/html/template/js.go \
| 2 ++<br> > - src/html/template/jsctx_string.go | 9 +++++++++<br>
> - src/html/template/transition.go | 7 ++++++-<br>
> - 6 files changed, 43 insertions(+), 1 deletion(-)<br>
> + src/html/template/js_test.go | 2 +-<br>
> + src/html/template/jsctx_string.go | 9 ++++++<br>
> + src/html/template/state_string.go | 37 ++++++++++++++++++++--<br>
> + src/html/template/transition.go | 7 ++++-<br>
> + 9 files changed, 116 insertions(+), 33 deletions(-)<br>
><br>
> diff --git a/src/html/template/context.go b/src/html/template/context.go<br>
> index f7d4849..0b65313 100644<br>
> @@ -125,6 +128,104 @@ index f12dafa..29ca5b3 100644<br>
> case stateJSRegexp:<br>
> s = append(s, \
"_html_template_jsregexpescaper")<br> > case stateCSS:<br>
> +diff --git a/src/html/template/escape_test.go \
b/src/html/template/escape_test.go<br> > +index fa2b84a..1b150e9 100644<br>
> +--- a/src/html/template/escape_test.go<br>
> ++++ b/src/html/template/escape_test.go<br>
> +@@ -681,35 +681,31 @@ func TestEscape(t *testing.T) {<br>
> + }<br>
> +<br>
> + for _, test := range tests {<br>
> +- tmpl := New(<a href="http://test.name" rel="noreferrer" \
target="_blank">test.name</a>)<br> > +- tmpl = \
Must(tmpl.Parse(test.input))<br> > +- // Check for bug 6459: \
Tree field was not set in Parse.<br> > +- if tmpl.Tree != \
tmpl.text.Tree {<br> > +- t.Errorf("%s: tree \
not set properly", <a href="http://test.name" rel="noreferrer" \
target="_blank">test.name</a>)<br> > +- \
continue<br> > +- }<br>
> +- b := new(bytes.Buffer)<br>
> +- if err := tmpl.Execute(b, data); err != nil {<br>
> +- t.Errorf("%s: template execution failed: \
%s", <a href="http://test.name" rel="noreferrer" target="_blank">test.name</a>, \
err)<br> > +- continue<br>
> +- }<br>
> +- if w, g := test.output, b.String(); w != g {<br>
> +- t.Errorf("%s: escaped output: \
want\n\t%q\ngot\n\t%q", <a href="http://test.name" rel="noreferrer" \
target="_blank">test.name</a>, w, g)<br> > +- \
continue<br> > +- }<br>
> +- b.Reset()<br>
> +- if err := tmpl.Execute(b, pdata); err != nil {<br>
> +- t.Errorf("%s: template execution failed \
for pointer: %s", <a href="http://test.name" rel="noreferrer" \
target="_blank">test.name</a>, err)<br> > +- \
continue<br> > +- }<br>
> +- if w, g := test.output, b.String(); w != g {<br>
> +- t.Errorf("%s: escaped output for \
pointer: want\n\t%q\ngot\n\t%q", <a href="http://test.name" rel="noreferrer" \
target="_blank">test.name</a>, w, g)<br> > +- \
continue<br> > +- }<br>
> +- if tmpl.Tree != tmpl.text.Tree {<br>
> +- t.Errorf("%s: tree mismatch", <a \
href="http://test.name" rel="noreferrer" target="_blank">test.name</a>)<br> > +- \
continue<br> > +- }<br>
> ++ t.Run(<a href="http://test.name" rel="noreferrer" \
target="_blank">test.name</a>, func(t *testing.T) {<br> > ++ \
tmpl := New(<a href="http://test.name" rel="noreferrer" \
target="_blank">test.name</a>)<br> > ++ tmpl = \
Must(tmpl.Parse(test.input))<br> > ++ // Check for \
bug 6459: Tree field was not set in Parse.<br> > ++ \
if tmpl.Tree != tmpl.text.Tree {<br> > ++ \
t.Fatalf("%s: tree not set properly", <a href="http://test.name" \
rel="noreferrer" target="_blank">test.name</a>)<br> > ++ \
}<br> > ++ b := new(strings.Builder)<br>
> ++ if err := tmpl.Execute(b, data); err != nil \
{<br> > ++ t.Fatalf("%s: template \
execution failed: %s", <a href="http://test.name" rel="noreferrer" \
target="_blank">test.name</a>, err)<br> > ++ }<br>
> ++ if w, g := test.output, b.String(); w != g \
{<br> > ++ t.Fatalf("%s: escaped \
output: want\n\t%q\ngot\n\t%q", <a href="http://test.name" rel="noreferrer" \
target="_blank">test.name</a>, w, g)<br> > ++ \
}<br> > ++ b.Reset()<br>
> ++ if err := tmpl.Execute(b, pdata); err != nil \
{<br> > ++ t.Fatalf("%s: template \
execution failed for pointer: %s", <a href="http://test.name" rel="noreferrer" \
target="_blank">test.name</a>, err)<br> > ++ }<br>
> ++ if w, g := test.output, b.String(); w != g \
{<br> > ++ t.Fatalf("%s: escaped \
output for pointer: want\n\t%q\ngot\n\t%q", <a href="http://test.name" \
rel="noreferrer" target="_blank">test.name</a>, w, g)<br> > ++ \
}<br> > ++ if tmpl.Tree != tmpl.text.Tree {<br>
> ++ t.Fatalf("%s: tree \
mismatch", <a href="http://test.name" rel="noreferrer" \
target="_blank">test.name</a>)<br> > ++ }<br>
> ++ })<br>
> + }<br>
> + }<br>
> +<br>
> +@@ -936,6 +932,10 @@ func TestErrors(t *testing.T) {<br>
> + "{{range .Items}}<a{{if \
.X}}{{end}}>{{if .X}}{{break}}{{end}}{{end}}",<br> > + \
"",<br> > + },<br>
> ++ {<br>
> ++ "<script>var a = \
`${a+b}`</script>`",<br> > ++ \
"",<br> > ++ },<br>
> + // Error cases.<br>
> + {<br>
> + "{{if .Cond}}<a{{end}}",<br>
> +@@ -1082,6 +1082,10 @@ func TestErrors(t *testing.T) {<br>
> + // html is allowed since it is the last \
command in the pipeline, but urlquery is not.<br> > + \
`predefined escaper "urlquery" disallowed in template`,<br> > + \
},<br> > ++ {<br>
> ++ "<script>var tmpl = `asd \
{{.}}`;</script>",<br> > ++ `{{.}} \
appears in a JS template literal`,<br> > ++ },<br>
> + }<br>
> + for _, test := range tests {<br>
> + buf := new(bytes.Buffer)<br>
> +@@ -1304,6 +1308,10 @@ func TestEscapeText(t *testing.T) {<br>
> + context{state: stateJSSqStr, delim: \
delimDoubleQuote, attr: attrScript},<br> > + },<br>
> + {<br>
> ++ "<a onclick=\"`foo",<br>
> ++ context{state: stateJSBqStr, delim: \
delimDoubleQuote, attr: attrScript},<br> > ++ },<br>
> ++ {<br>
> + `<A ONCLICK="'`,<br>
> + context{state: stateJSSqStr, delim: \
delimDoubleQuote, attr: attrScript},<br> > + },<br>
> diff --git a/src/html/template/js.go b/src/html/template/js.go<br>
> index ea9c183..b888eaf 100644<br>
> --- a/src/html/template/js.go<br>
> @@ -145,6 +246,19 @@ index ea9c183..b888eaf 100644<br>
> '+': `\u002b`,<br>
> '/': `\/`,<br>
> '<': `\u003c`,<br>
> +diff --git a/src/html/template/js_test.go b/src/html/template/js_test.go<br>
> +index d7ee47b..7d963ae 100644<br>
> +--- a/src/html/template/js_test.go<br>
> ++++ b/src/html/template/js_test.go<br>
> +@@ -292,7 +292,7 @@ func TestEscapersOnLower7AndSelectHighCodepoints(t \
*testing.T) {<br> > + \
`0123456789:;\u003c=\u003e?` +<br> > + \
`@ABCDEFGHIJKLMNO` +<br> > + \
`PQRSTUVWXYZ[\\]^_` +<br> > +- \
"`abcdefghijklmno" +<br> > ++ \
"\\u0060abcdefghijklmno" +<br> > + \
"pqrstuvwxyz{|}~\u007f" +<br> > + \
"\u00A0\u0100\\u2028\\u2029\ufeff\U0001D11E",<br> > + \
},<br> > diff --git a/src/html/template/jsctx_string.go \
b/src/html/template/jsctx_string.go<br> > index dd1d87e..2394893 100644<br>
> --- a/src/html/template/jsctx_string.go<br>
> @@ -165,6 +279,55 @@ index dd1d87e..2394893 100644<br>
> const _jsCtx_name = "jsCtxRegexpjsCtxDivOpjsCtxUnknown"<br>
><br>
> var _jsCtx_index = [...]uint8{0, 11, 21, 33}<br>
> +diff --git a/src/html/template/state_string.go \
b/src/html/template/state_string.go<br> > +index 05104be..6fb1a6e 100644<br>
> +--- a/src/html/template/state_string.go<br>
> ++++ b/src/html/template/state_string.go<br>
> +@@ -4,9 +4,42 @@ package template<br>
> +<br>
> + import "strconv"<br>
> +<br>
> +-const _state_name = \
"stateTextstateTagstateAttrNamestateAfterNamestateBeforeValuestateHTMLCmtstateRCD \
ATAstateAttrstateURLstateSrcsetstateJSstateJSDqStrstateJSSqStrstateJSRegexpstateJSBloc \
kCmtstateJSLineCmtstateCSSstateCSSDqStrstateCSSSqStrstateCSSDqURLstateCSSSqURLstateCSSURLstateCSSBlockCmtstateCSSLineCmtstateError"<br>
> ++func _() {<br>
> ++ // An "invalid array index" compiler error signifies that \
the constant values have changed.<br> > ++ // Re-run the stringer command \
to generate them again.<br> > ++ var x [1]struct{}<br>
> ++ _ = x[stateText-0]<br>
> ++ _ = x[stateTag-1]<br>
> ++ _ = x[stateAttrName-2]<br>
> ++ _ = x[stateAfterName-3]<br>
> ++ _ = x[stateBeforeValue-4]<br>
> ++ _ = x[stateHTMLCmt-5]<br>
> ++ _ = x[stateRCDATA-6]<br>
> ++ _ = x[stateAttr-7]<br>
> ++ _ = x[stateURL-8]<br>
> ++ _ = x[stateSrcset-9]<br>
> ++ _ = x[stateJS-10]<br>
> ++ _ = x[stateJSDqStr-11]<br>
> ++ _ = x[stateJSSqStr-12]<br>
> ++ _ = x[stateJSBqStr-13]<br>
> ++ _ = x[stateJSRegexp-14]<br>
> ++ _ = x[stateJSBlockCmt-15]<br>
> ++ _ = x[stateJSLineCmt-16]<br>
> ++ _ = x[stateCSS-17]<br>
> ++ _ = x[stateCSSDqStr-18]<br>
> ++ _ = x[stateCSSSqStr-19]<br>
> ++ _ = x[stateCSSDqURL-20]<br>
> ++ _ = x[stateCSSSqURL-21]<br>
> ++ _ = x[stateCSSURL-22]<br>
> ++ _ = x[stateCSSBlockCmt-23]<br>
> ++ _ = x[stateCSSLineCmt-24]<br>
> ++ _ = x[stateError-25]<br>
> ++ _ = x[stateDead-26]<br>
> ++}<br>
> ++<br>
> ++const _state_name = \
"stateTextstateTagstateAttrNamestateAfterNamestateBeforeValuestateHTMLCmtstateRCD \
ATAstateAttrstateURLstateSrcsetstateJSstateJSDqStrstateJSSqStrstateJSBqStrstateJSRegex \
pstateJSBlockCmtstateJSLineCmtstateCSSstateCSSDqStrstateCSSSqStrstateCSSDqURLstateCSSSqURLstateCSSURLstateCSSBlockCmtstateCSSLineCmtstateErrorstateDead"<br>
> +<br>
> +-var _state_index = [...]uint16{0, 9, 17, 30, 44, 60, 72, 83, 92, 100, 111, \
118, 130, 142, 155, 170, 184, 192, 205, 218, 231, 244, 255, 271, 286, 296}<br> > \
++var _state_index = [...]uint16{0, 9, 17, 30, 44, 60, 72, 83, 92, 100, 111, 118, \
130, 142, 154, 167, 182, 196, 204, 217, 230, 243, 256, 267, 283, 298, 308, 317}<br> \
> +<br> > + func (i state) String() string {<br>
> + if i >= state(len(_state_index)-1) {<br>
> diff --git a/src/html/template/transition.go \
b/src/html/template/transition.go<br> > index 06df679..92eb351 100644<br>
> --- a/src/html/template/transition.go<br>
> diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-39318.patch \
b/meta/recipes-devtools/go/go-1.14/CVE-2023-39318.patch<br> > index \
20e70c0485..00def8fcda 100644<br> > --- \
a/meta/recipes-devtools/go/go-1.14/CVE-2023-39318.patch<br> > +++ \
b/meta/recipes-devtools/go/go-1.14/CVE-2023-39318.patch<br> > @@ -34,9 +34,9 @@ \
Signed-off-by: Siddharth Doshi <<a href="mailto:sdoshi@mvista.com" \
target="_blank">sdoshi@mvista.com</a>><br> > src/html/template/context.go \
| 6 ++-<br> > src/html/template/escape.go | 5 +-<br>
> src/html/template/escape_test.go | 10 ++++<br>
> - src/html/template/state_string.go | 4 +-<br>
> + src/html/template/state_string.go | 26 +++++-----<br>
> src/html/template/transition.go | 80 ++++++++++++++++++++-----------<br>
> - 5 files changed, 72 insertions(+), 33 deletions(-)<br>
> + 5 files changed, 84 insertions(+), 43 deletions(-)<br>
><br>
> diff --git a/src/html/template/context.go b/src/html/template/context.go<br>
> index 0b65313..4eb7891 100644<br>
> @@ -105,14 +105,38 @@ diff --git a/src/html/template/state_string.go \
b/src/html/template/state_string.<br> > index 05104be..b5cfe70 100644<br>
> --- a/src/html/template/state_string.go<br>
> +++ b/src/html/template/state_string.go<br>
> -@@ -4,9 +4,9 @@ package template<br>
> -<br>
> - import "strconv"<br>
> +@@ -25,21 +25,23 @@ func _() {<br>
> + _ = x[stateJSRegexp-14]<br>
> + _ = x[stateJSBlockCmt-15]<br>
> + _ = x[stateJSLineCmt-16]<br>
> +- _ = x[stateCSS-17]<br>
> +- _ = x[stateCSSDqStr-18]<br>
> +- _ = x[stateCSSSqStr-19]<br>
> +- _ = x[stateCSSDqURL-20]<br>
> +- _ = x[stateCSSSqURL-21]<br>
> +- _ = x[stateCSSURL-22]<br>
> +- _ = x[stateCSSBlockCmt-23]<br>
> +- _ = x[stateCSSLineCmt-24]<br>
> +- _ = x[stateError-25]<br>
> +- _ = x[stateDead-26]<br>
> ++ _ = x[stateJSHTMLOpenCmt-17]<br>
> ++ _ = x[stateJSHTMLCloseCmt-18]<br>
> ++ _ = x[stateCSS-19]<br>
> ++ _ = x[stateCSSDqStr-20]<br>
> ++ _ = x[stateCSSSqStr-21]<br>
> ++ _ = x[stateCSSDqURL-22]<br>
> ++ _ = x[stateCSSSqURL-23]<br>
> ++ _ = x[stateCSSURL-24]<br>
> ++ _ = x[stateCSSBlockCmt-25]<br>
> ++ _ = x[stateCSSLineCmt-26]<br>
> ++ _ = x[stateError-27]<br>
> ++ _ = x[stateDead-28]<br>
> + }<br>
><br>
> --const _state_name = \
"stateTextstateTagstateAttrNamestateAfterNamestateBeforeValuestateHTMLCmtstateRCD \
ATAstateAttrstateURLstateSrcsetstateJSstateJSDqStrstateJSSqStrstateJSRegexpstateJSBloc \
kCmtstateJSLineCmtstateCSSstateCSSDqStrstateCSSSqStrstateCSSDqURLstateCSSSqURLstateCSSURLstateCSSBlockCmtstateCSSLineCmtstateError"<br>
> +-const _state_name = \
"stateTextstateTagstateAttrNamestateAfterNamestateBeforeValuestateHTMLCmtstateRCD \
ATAstateAttrstateURLstateSrcsetstateJSstateJSDqStrstateJSSqStrstateJSBqStrstateJSRegex \
pstateJSBlockCmtstateJSLineCmtstateCSSstateCSSDqStrstateCSSSqStrstateCSSDqURLstateCSSSqURLstateCSSURLstateCSSBlockCmtstateCSSLineCmtstateErrorstateDead"<br>
> +const _state_name = \
"stateTextstateTagstateAttrNamestateAfterNamestateBeforeValuestateHTMLCmtstateRCD \
ATAstateAttrstateURLstateSrcsetstateJSstateJSDqStrstateJSSqStrstateJSBqStrstateJSRegex \
pstateJSBlockCmtstateJSLineCmtstateJSHTMLOpenCmtstateJSHTMLCloseCmtstateCSSstateCSSDqS \
trstateCSSSqStrstateCSSDqURLstateCSSSqURLstateCSSURLstateCSSBlockCmtstateCSSLineCmtstateErrorstateDead"<br>
><br>
> --var _state_index = [...]uint16{0, 9, 17, 30, 44, 60, 72, 83, 92, 100, 111, \
118, 130, 142, 155, 170, 184, 192, 205, 218, 231, 244, 255, 271, 286, 296}<br> > \
+-var _state_index = [...]uint16{0, 9, 17, 30, 44, 60, 72, 83, 92, 100, 111, 118, \
130, 142, 154, 167, 182, 196, 204, 217, 230, 243, 256, 267, 283, 298, 308, 317}<br> \
> +var _state_index = [...]uint16{0, 9, 17, 30, 44, 60, 72, 83, 92, 100, 111, \
118, 130, 142, 154, 167, 182, 196, 214, 233, 241, 254, 267, 280, 293, 304, 320, 335, \
345, 354}<br> ><br>
> func (i state) String() string {<br>
> --<br>
> 2.42.0<br>
><br>
><br>
> <br>
><br>
</blockquote></div>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#188460): https://lists.openembedded.org/g/openembedded-core/message/188460
Mute This Topic: https://lists.openembedded.org/mt/101664679/4454766
Group Owner: openembedded-core+owner@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [openembedded-core@marc.info]
-=-=-=-=-=-=-=-=-=-=-=-
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic