From: Youlin Feng <fengyoulin@live.com>
Date: Thu, 4 Sep 2025 01:17:26 +0000 (+0800)
Subject: cmd/go: check pattern for utf8 validity before call regexp.MustCompile
X-Git-Tag: go1.26rc1~850
X-Git-Url: http://www.git.cypherpunks.su/?a=commitdiff_plain;h=cbdad4fc3cecbdfcee4e9d30df04916a151bfc16;p=gostls13.git

cmd/go: check pattern for utf8 validity before call regexp.MustCompile

Do not panic if the package path or the package version contains
invalid UTF-8 characters.

Fixes #75251

Change-Id: Ib787e74277cf814253857b911d378ea5e53d8824
Reviewed-on: https://go-review.googlesource.com/c/go/+/700815
Reviewed-by: Michael Matloob <matloob@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Ian Alexander <jitsu@google.com>
Reviewed-by: Michael Matloob <matloob@golang.org>
---

diff --git a/src/cmd/go/internal/modget/query.go b/src/cmd/go/internal/modget/query.go
index f95b503d8f..05872d52ec 100644
--- a/src/cmd/go/internal/modget/query.go
+++ b/src/cmd/go/internal/modget/query.go
@@ -10,6 +10,7 @@ import (
 	"regexp"
 	"strings"
 	"sync"
+	"unicode/utf8"
 
 	"cmd/go/internal/base"
 	"cmd/go/internal/gover"
@@ -285,6 +286,11 @@ func reportError(q *query, err error) {
 	// TODO(bcmills): Use errors.As to unpack these errors instead of parsing
 	// strings with regular expressions.
 
+	if !utf8.ValidString(q.pattern) || !utf8.ValidString(q.version) {
+		base.Errorf("go: %s", errStr)
+		return
+	}
+
 	patternRE := regexp.MustCompile("(?m)(?:[ \t(\"`]|^)" + regexp.QuoteMeta(q.pattern) + "(?:[ @:;)\"`]|$)")
 	if patternRE.MatchString(errStr) {
 		if q.rawVersion == "" {
diff --git a/src/cmd/go/testdata/script/get_panic_issue75251.txt b/src/cmd/go/testdata/script/get_panic_issue75251.txt
new file mode 100644
index 0000000000..2cc3f3a9c4
--- /dev/null
+++ b/src/cmd/go/testdata/script/get_panic_issue75251.txt
@@ -0,0 +1,16 @@
+# Issue #75251: Don't panic if the package path or the package version
+# contains invalid UTF-8 characters.
+
+go mod init m
+
+! go get golang.org/x/net/http/httpgutsÿv0.43.0 # contains 0xff byte
+! stderr panic
+stderr 'malformed module path'
+
+! go get golang.org/x/net/http/httpgutsÿ@v0.43.0 # contains 0xff byte
+! stderr panic
+stderr 'malformed module path'
+
+! go get golang.org/x/net/http/httpguts@ÿv0.43.0 # contains 0xff byte
+! stderr panic
+stderr 'disallowed version string'
diff --git a/src/cmd/internal/pkgpattern/pkgpattern.go b/src/cmd/internal/pkgpattern/pkgpattern.go
index 1496eebb3e..5bbe8a52fb 100644
--- a/src/cmd/internal/pkgpattern/pkgpattern.go
+++ b/src/cmd/internal/pkgpattern/pkgpattern.go
@@ -7,6 +7,7 @@ package pkgpattern
 import (
 	"regexp"
 	"strings"
+	"unicode/utf8"
 )
 
 // Note: most of this code was originally part of the cmd/go/internal/search
@@ -71,7 +72,7 @@ func matchPatternInternal(pattern string, vendorExclude bool) func(name string)
 
 	const vendorChar = "\x00"
 
-	if vendorExclude && strings.Contains(pattern, vendorChar) {
+	if vendorExclude && strings.Contains(pattern, vendorChar) || !utf8.ValidString(pattern) {
 		return func(name string) bool { return false }
 	}