diff options
| author | Richard Miller <millerresearch@gmail.com> | 2025-08-07 11:15:23 +0100 |
|---|---|---|
| committer | Damien Neil <dneil@google.com> | 2025-08-13 14:55:23 -0700 |
| commit | 674c5f0edd82b5d1dd5cb44eb4b85830245c151e (patch) | |
| tree | dc168e629bcae3886057e17de625c74663a571f2 /src/os/exec | |
| parent | 9bbea0f21a4539ea365d4804131b17d3b963c4f7 (diff) | |
| download | go-674c5f0edd82b5d1dd5cb44eb4b85830245c151e.tar.xz | |
os/exec: fix incorrect expansion of ".." in LookPath on plan9
The correction in CL 685755 is incomplete for plan9, where path
search is performed even on file strings containing "/". By
applying filepath.Clean to the argument of validateLookPath,
we can check for bogus file strings containing ".." where the
later call to filepath.Join would transform a path like
"badfile/dir/.." to "badfile" even where "dir" isn't a directory
or doesn't exist.
For #74466
Fixes #74892
Change-Id: I3f8b73a1de6bc7d8001b1ca8e74b78722408548e
Reviewed-on: https://go-review.googlesource.com/c/go/+/693935
Reviewed-by: David du Colombier <0intro@gmail.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: David Chase <drchase@google.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Diffstat (limited to 'src/os/exec')
| -rw-r--r-- | src/os/exec/lp_plan9.go | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/os/exec/lp_plan9.go b/src/os/exec/lp_plan9.go index 0430af9eef..f713a6905c 100644 --- a/src/os/exec/lp_plan9.go +++ b/src/os/exec/lp_plan9.go @@ -36,7 +36,7 @@ func findExecutable(file string) error { // As of Go 1.19, LookPath will instead return that path along with an error satisfying // [errors.Is](err, [ErrDot]). See the package documentation for more details. func LookPath(file string) (string, error) { - if err := validateLookPath(file); err != nil { + if err := validateLookPath(filepath.Clean(file)); err != nil { return "", &Error{file, err} } |