From: Bryan C. Mills Date: Tue, 4 Dec 2018 19:37:39 +0000 (-0500) Subject: [release-branch.go1.10-security] cmd/go/internal/get: reject Windows shortnames as... X-Git-Tag: go1.10.6~4 X-Git-Url: http://www.git.cypherpunks.su/?a=commitdiff_plain;h=7ef6ee2c5727f0d11206b4d1866c18e6ab4785be;p=gostls13.git [release-branch.go1.10-security] cmd/go/internal/get: reject Windows shortnames as path components Change-Id: Ia32d8ec1fc0c4e242f50d8871c0ef3ce315f3c65 Reviewed-on: https://team-review.git.corp.google.com/c/370573 Reviewed-by: Dmitri Shuralyov --- diff --git a/src/cmd/go/internal/get/path.go b/src/cmd/go/internal/get/path.go index 2920fc2085..c8072b25fd 100644 --- a/src/cmd/go/internal/get/path.go +++ b/src/cmd/go/internal/get/path.go @@ -11,7 +11,8 @@ import ( "unicode/utf8" ) -// The following functions are copied verbatim from cmd/go/internal/module/module.go. +// The following functions are copied verbatim from cmd/go/internal/module/module.go, +// with one change to additionally reject Windows short-names. // // TODO(bcmills): After the call site for this function is backported, // consolidate this back down to a single copy. @@ -76,6 +77,7 @@ func checkElem(elem string, fileName bool) error { if elem[len(elem)-1] == '.' { return fmt.Errorf("trailing dot in path element") } + charOK := pathOK if fileName { charOK = fileNameOK @@ -97,6 +99,23 @@ func checkElem(elem string, fileName bool) error { return fmt.Errorf("disallowed path element %q", elem) } } + + // Reject path components that look like Windows short-names. + // Those usually end in a tilde followed by one or more ASCII digits. + if tilde := strings.LastIndexByte(short, '~'); tilde >= 0 && tilde < len(short)-1 { + suffix := short[tilde+1:] + suffixIsDigits := true + for _, r := range suffix { + if r < '0' || r > '9' { + suffixIsDigits = false + break + } + } + if suffixIsDigits { + return fmt.Errorf("trailing tilde and digits in path element") + } + } + return nil }