GoAhead 6.0.1 Update

A GoAhead 6.0.1 security update has been released that addresses some minor security issues.

JST Parsing Issue

The Javascript ServerSide Templates (JST) engine in GoAhead is used to dynamically render HTML pages. The embedded JavaScript code is executed at runtime to generate the HTML response.

A flaw in the JST engine will incorrectly handle invalid JST pages and may crash with NULL dereferences or use-after-free errors.

This issue is not remotely exploitable and requires a prior compromise of the system to grant root or equivalent privilege sufficient to modify JST pages and code to include invalid JavaScript tokens.

Memory Depletion Issue

GoAhead centrally handles memory allocation errors by invoking a memory notifier. This function can handle the memory error, by typically restarting the web server.

From the doc:

It is difficult and error-prone for programmers to always check the result of every API call that can possibly fail due to memory allocation errors. Calls such as strdup and asprintf are often assumed to succeed, but they can, and do fail when memory is depleted.

If a developer forgets to install a memory notifier, and memory allocation inside GoAhead or in the developer’s device-specific code fails – this could lead to a NULL dereference and crash.

The default GoAhead configuration required the developer to install a notifier via the websSetMemNotifier function. The 6.0.1 release adds a default notifier so that memory allocation errors will be handled. The default function prints a message and aborts the process so that it can be restarted.

See the doc for details:

• https://www.embedthis.com/goahead/doc/ref/memory.html

This issue only impacts those who have not installed a memory notifier and primarily impacts those who use the ME_GOAHEAD_REPLACE_MALLOC to replace the standard malloc functions with fixed buffer memory allocators that have limited capacity.

Upgrade if you have not installed a memory notifier. It is recommended that developers use websSetMemNotifier to define their own memory notifier.

Summary of Changes

• Fix a JST token parsing issue where bad JST pages can cause a NULL dereference

• Fix JST use-after-free, double-free issues for certain specially crafted, invalid JST pages.

• Define a default memory notifier to handle low-memory conditions.

Download from the Builder at

• https://admin.embedthis.com/products