From 5fad09016b172cd70a8e47b0f1ed0db07d1ebd17 Mon Sep 17 00:00:00 2001
From: Ian Lance Taylor <iant@golang.org>
Date: Tue, 26 Jun 2018 06:40:26 -0700
Subject: [PATCH] cmd/cgo: mention character restrictions on #cgo lines

Fixes #26025

Change-Id: I43b3c9019ca8d2844e4d664c2090e506b2171077
Reviewed-on: https://go-review.googlesource.com/120975
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
---
 src/cmd/cgo/doc.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/cmd/cgo/doc.go b/src/cmd/cgo/doc.go
index 332b5670cc..4bd82ebd12 100644
--- a/src/cmd/cgo/doc.go
+++ b/src/cmd/cgo/doc.go
@@ -64,6 +64,11 @@ a full argument: to allow -mfoo=bar, use CGO_CFLAGS_ALLOW='-mfoo.*',
 not just CGO_CFLAGS_ALLOW='-mfoo'. Similarly named variables control
 the allowed CPPFLAGS, CXXFLAGS, FFLAGS, and LDFLAGS.
 
+Also for security reasons, only a limited set of characters are
+permitted, notably alphanumeric characters and a few symbols, such as
+'.', that will not be interpreted in unexpected ways. Attempts to use
+forbidden characters will get a "malformed #cgo argument" error.
+
 When building, the CGO_CFLAGS, CGO_CPPFLAGS, CGO_CXXFLAGS, CGO_FFLAGS and
 CGO_LDFLAGS environment variables are added to the flags derived from
 these directives. Package-specific flags should be set using the
-- 
2.50.0