diff options
| author | Youlin Feng <fengyoulin@live.com> | 2025-09-04 09:17:26 +0800 |
|---|---|---|
| committer | Michael Matloob <matloob@golang.org> | 2025-09-16 12:31:12 -0700 |
| commit | cbdad4fc3cecbdfcee4e9d30df04916a151bfc16 (patch) | |
| tree | 1857bbcaab6cf86aa94262b05d7579aa9ecffe79 /src/cmd | |
| parent | c2d85eb999fcd428a1cd71ed93805cbde0c16eaa (diff) | |
| download | go-cbdad4fc3cecbdfcee4e9d30df04916a151bfc16.tar.xz | |
cmd/go: check pattern for utf8 validity before call regexp.MustCompile
Do not panic if the package path or the package version contains
invalid UTF-8 characters.
Fixes #75251
Change-Id: Ib787e74277cf814253857b911d378ea5e53d8824
Reviewed-on: https://go-review.googlesource.com/c/go/+/700815
Reviewed-by: Michael Matloob <matloob@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Ian Alexander <jitsu@google.com>
Reviewed-by: Michael Matloob <matloob@golang.org>
Diffstat (limited to 'src/cmd')
| -rw-r--r-- | src/cmd/go/internal/modget/query.go | 6 | ||||
| -rw-r--r-- | src/cmd/go/testdata/script/get_panic_issue75251.txt | 16 | ||||
| -rw-r--r-- | src/cmd/internal/pkgpattern/pkgpattern.go | 3 |
3 files changed, 24 insertions, 1 deletions
diff --git a/src/cmd/go/internal/modget/query.go b/src/cmd/go/internal/modget/query.go index f95b503d8f..05872d52ec 100644 --- a/src/cmd/go/internal/modget/query.go +++ b/src/cmd/go/internal/modget/query.go @@ -10,6 +10,7 @@ import ( "regexp" "strings" "sync" + "unicode/utf8" "cmd/go/internal/base" "cmd/go/internal/gover" @@ -285,6 +286,11 @@ func reportError(q *query, err error) { // TODO(bcmills): Use errors.As to unpack these errors instead of parsing // strings with regular expressions. + if !utf8.ValidString(q.pattern) || !utf8.ValidString(q.version) { + base.Errorf("go: %s", errStr) + return + } + patternRE := regexp.MustCompile("(?m)(?:[ \t(\"`]|^)" + regexp.QuoteMeta(q.pattern) + "(?:[ @:;)\"`]|$)") if patternRE.MatchString(errStr) { if q.rawVersion == "" { diff --git a/src/cmd/go/testdata/script/get_panic_issue75251.txt b/src/cmd/go/testdata/script/get_panic_issue75251.txt new file mode 100644 index 0000000000..2cc3f3a9c4 --- /dev/null +++ b/src/cmd/go/testdata/script/get_panic_issue75251.txt @@ -0,0 +1,16 @@ +# Issue #75251: Don't panic if the package path or the package version +# contains invalid UTF-8 characters. + +go mod init m + +! go get golang.org/x/net/http/httpgutsÿv0.43.0 # contains 0xff byte +! stderr panic +stderr 'malformed module path' + +! go get golang.org/x/net/http/httpgutsÿ@v0.43.0 # contains 0xff byte +! stderr panic +stderr 'malformed module path' + +! go get golang.org/x/net/http/httpguts@ÿv0.43.0 # contains 0xff byte +! stderr panic +stderr 'disallowed version string' diff --git a/src/cmd/internal/pkgpattern/pkgpattern.go b/src/cmd/internal/pkgpattern/pkgpattern.go index 1496eebb3e..5bbe8a52fb 100644 --- a/src/cmd/internal/pkgpattern/pkgpattern.go +++ b/src/cmd/internal/pkgpattern/pkgpattern.go @@ -7,6 +7,7 @@ package pkgpattern import ( "regexp" "strings" + "unicode/utf8" ) // Note: most of this code was originally part of the cmd/go/internal/search @@ -71,7 +72,7 @@ func matchPatternInternal(pattern string, vendorExclude bool) func(name string) const vendorChar = "\x00" - if vendorExclude && strings.Contains(pattern, vendorChar) { + if vendorExclude && strings.Contains(pattern, vendorChar) || !utf8.ValidString(pattern) { return func(name string) bool { return false } } |