Cypherpunks repositories - gostls13.git/commit

author	Olivier Mengué <olivier.mengue@gmail.com>
	Mon, 30 Jun 2025 14:58:59 +0000 (16:58 +0200)
committer	Gopher Robot <gobot@golang.org>
	Wed, 30 Jul 2025 15:43:19 +0000 (08:43 -0700)
commit	ebee011a54f9310099d02a7e7731330539db16cf
tree	d6d7e6a4ae98729f247e725f86056d65bf64506e	tree
parent	84fb1b8253b54a5809b2e84bd38d9f1408c46766	commit \| diff

[release-branch.go1.25] os/exec: fix incorrect expansion of "", "." and ".." in LookPath

Fix incorrect expansion of "" and "." when $PATH contains an executable
file or, on Windows, a parent directory of a %PATH% element contains an
file with the same name as the %PATH% element but with one of the
%PATHEXT% extension (ex: C:\utils\bin is in PATH, and C:\utils\bin.exe
exists).

Fix incorrect expansion of ".." when $PATH contains an element which is
an the concatenation of the path to an executable file (or on Windows
a path that can be expanded to an executable by appending a %PATHEXT%
extension), a path separator and a name.

"", "." and ".." are now rejected early with ErrNotFound.

Fixes CVE-2025-47906
Fixes #74466

Change-Id: Ie50cc0a660fce8fbdc952a7f2e05c36062dcb50e
Reviewed-on: https://go-review.googlesource.com/c/go/+/685755
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Damien Neil <dneil@google.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
(cherry picked from commit e0b07dc22eaab1b003d98ad6d63cdfacc76c5c70)
Reviewed-on: https://go-review.googlesource.com/c/go/+/691775
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Auto-Submit: Dmitri Shuralyov <dmitshur@golang.org>

src/os/exec/dot_test.go		diff \| blob \| history
src/os/exec/exec.go		diff \| blob \| history
src/os/exec/lp_plan9.go		diff \| blob \| history
src/os/exec/lp_unix.go		diff \| blob \| history
src/os/exec/lp_windows.go		diff \| blob \| history