From 69e75c8581e15328454bb6e2f1dc347f73616b37 Mon Sep 17 00:00:00 2001
From: Alan Donovan <adonovan@google.com>
Date: Tue, 23 Apr 2024 12:44:54 -0400
Subject: runtime: properly frame panic values in tracebacks

This CL causes the printing of panic values to ensure that all
newlines in the output are immediately followed by a tab, so
that there is no way for a maliciously crafted panic value to
fool a program attempting to parse the traceback into thinking
that the panic value is in fact a goroutine stack.

See https://github.com/golang/go/issues/64590#issuecomment-1932675696

+ release note

Updates #64590
Updates #63455

Change-Id: I5142acb777383c0c122779d984e73879567dc627
Reviewed-on: https://go-review.googlesource.com/c/go/+/581215
Auto-Submit: Alan Donovan <adonovan@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Michael Pratt <mpratt@google.com>
---
 src/testing/testing_test.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'src/testing/testing_test.go')

diff --git a/src/testing/testing_test.go b/src/testing/testing_test.go
index d3822dfd57..4a9303952e 100644
--- a/src/testing/testing_test.go
+++ b/src/testing/testing_test.go
@@ -762,7 +762,8 @@ func parseRunningTests(out []byte) (runningTests []string, ok bool) {
 	inRunningTests := false
 	for _, line := range strings.Split(string(out), "\n") {
 		if inRunningTests {
-			if trimmed, ok := strings.CutPrefix(line, "\t"); ok {
+			// Package testing adds one tab, the panic printer adds another.
+			if trimmed, ok := strings.CutPrefix(line, "\t\t"); ok {
 				if name, _, ok := strings.Cut(trimmed, " "); ok {
 					runningTests = append(runningTests, name)
 					continue
-- 
cgit v1.3