Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

特殊值永远成功漏洞 CVE-2023-45292 GO-2023-2386 #120

Closed
cangkuai opened this issue Dec 1, 2023 · 2 comments
Closed

特殊值永远成功漏洞 CVE-2023-45292 GO-2023-2386 #120

cangkuai opened this issue Dec 1, 2023 · 2 comments

Comments

@cangkuai
Copy link

cangkuai commented Dec 1, 2023
edited
Loading

当store.Verify的answer为空字符串并且id不存在时返回值永远为true
复原代码

package main

import (
	"fmt"
	"strconv"
	"testing"

	"github.com/mojocn/base64Captcha"
)

func TestCat(t *testing.T) {
	var store = base64Captcha.DefaultMemStore
	fmt.Println(strconv.FormatBool(store.Verify("dsad", "", true)))
}
@cangkuai cangkuai mentioned this issue Dec 6, 2023
Closed
1 task
@cangkuai cangkuai changed the title 特殊值永远成功漏洞 特殊值永远成功漏洞 GO-2023-2386 Dec 7, 2023
@cangkuai cangkuai changed the title 特殊值永远成功漏洞 GO-2023-2386 特殊值永远成功漏洞 CVE-2023-45292 GO-2023-2386 Dec 7, 2023
@cangkuai
Copy link
Author

cangkuai commented Dec 8, 2023
edited
Loading

破案了,你有v.1.3.5和v1.3.5两个tag,其中v.1.3.5修了,但是v1.3.5没修,但是go认为最新版本是v1.3.5所以是没修的

@mojocn
Copy link
Owner

mojocn commented Dec 8, 2023

破案了,你有v.1.3.5和v1.3.5两个tag,其中v.1.3.5修了,但是v1.3.5没修,但是go认为最新版本是v1.3.5所以是没修的

感谢

@mojocn mojocn closed this as completed Dec 8, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cangkuai @mojocn