diff options
author | Ian Lance Taylor <iant@golang.org> | 2023-05-04 14:06:39 -0700 |
---|---|---|
committer | Gopher Robot <gobot@golang.org> | 2023-06-06 17:02:02 +0000 |
commit | fa60c381ed06c12f9c27a7b50ca44c5f84f7f0f4 (patch) | |
tree | ea4b7019a3dd1b1dcec3e3fd084b511554931fc4 | |
parent | 36144ba429ef2650940c72e7a0b932af3612d420 (diff) | |
download | go-fa60c381ed06c12f9c27a7b50ca44c5f84f7f0f4.tar.gz go-fa60c381ed06c12f9c27a7b50ca44c5f84f7f0f4.zip |
[release-branch.go1.20] cmd/go,cmd/cgo: in _cgo_flags use one line per flag
The flags that we recorded in _cgo_flags did not use any quoting,
so a flag containing embedded spaces was mishandled.
Change the _cgo_flags format to put each flag on a separate line.
That is a simple format that does not require any quoting.
As far as I can tell only cmd/go uses _cgo_flags, and it is only
used for gccgo. If this patch doesn't cause any trouble, then
in the next release we can change to only using _cgo_flags for gccgo.
Thanks to Juho Nurminen of Mattermost for reporting this issue.
Updates #60306
Fixes #60514
Fixes CVE-2023-29405
Change-Id: I36b6e188a44c80d7b9573efa577c386770bd2ba3
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1875094
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Roland Shoemaker <bracewell@google.com>
(cherry picked from commit bcdfcadd5612212089d958bc352a6f6c90742dcc)
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1902228
Run-TryBot: Roland Shoemaker <bracewell@google.com>
TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1904345
Reviewed-by: Michael Knyszek <mknyszek@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/501220
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: David Chase <drchase@google.com>
Auto-Submit: Michael Knyszek <mknyszek@google.com>
-rw-r--r-- | src/cmd/cgo/out.go | 4 | ||||
-rw-r--r-- | src/cmd/go/internal/work/gccgo.go | 14 | ||||
-rw-r--r-- | src/cmd/go/testdata/script/gccgo_link_ldflags.txt | 20 |
3 files changed, 29 insertions, 9 deletions
diff --git a/src/cmd/cgo/out.go b/src/cmd/cgo/out.go index d26f9e76a3..d0c6fe3d4c 100644 --- a/src/cmd/cgo/out.go +++ b/src/cmd/cgo/out.go @@ -47,7 +47,9 @@ func (p *Package) writeDefs() { fflg := creat(*objDir + "_cgo_flags") for k, v := range p.CgoFlags { - fmt.Fprintf(fflg, "_CGO_%s=%s\n", k, strings.Join(v, " ")) + for _, arg := range v { + fmt.Fprintf(fflg, "_CGO_%s=%s\n", arg) + } if k == "LDFLAGS" && !*gccgo { for _, arg := range v { fmt.Fprintf(fgo2, "//go:cgo_ldflag %q\n", arg) diff --git a/src/cmd/go/internal/work/gccgo.go b/src/cmd/go/internal/work/gccgo.go index 08a4c2d816..a048b7f4ee 100644 --- a/src/cmd/go/internal/work/gccgo.go +++ b/src/cmd/go/internal/work/gccgo.go @@ -280,14 +280,12 @@ func (tools gccgoToolchain) link(b *Builder, root *Action, out, importcfg string const ldflagsPrefix = "_CGO_LDFLAGS=" for _, line := range strings.Split(string(flags), "\n") { if strings.HasPrefix(line, ldflagsPrefix) { - newFlags := strings.Fields(line[len(ldflagsPrefix):]) - for _, flag := range newFlags { - // Every _cgo_flags file has -g and -O2 in _CGO_LDFLAGS - // but they don't mean anything to the linker so filter - // them out. - if flag != "-g" && !strings.HasPrefix(flag, "-O") { - cgoldflags = append(cgoldflags, flag) - } + flag := line[len(ldflagsPrefix):] + // Every _cgo_flags file has -g and -O2 in _CGO_LDFLAGS + // but they don't mean anything to the linker so filter + // them out. + if flag != "-g" && !strings.HasPrefix(flag, "-O") { + cgoldflags = append(cgoldflags, flag) } } } diff --git a/src/cmd/go/testdata/script/gccgo_link_ldflags.txt b/src/cmd/go/testdata/script/gccgo_link_ldflags.txt new file mode 100644 index 0000000000..4e91ae5650 --- /dev/null +++ b/src/cmd/go/testdata/script/gccgo_link_ldflags.txt @@ -0,0 +1,20 @@ +# Test that #cgo LDFLAGS are properly quoted. +# The #cgo LDFLAGS below should pass a string with spaces to -L, +# as though searching a directory with a space in its name. +# It should not pass --nosuchoption to the external linker. + +[!cgo] skip + +go build + +[!exec:gccgo] skip + +go build -compiler gccgo + +-- go.mod -- +module m +-- cgo.go -- +package main +// #cgo LDFLAGS: -L "./ -Wl,--nosuchoption" +import "C" +func main() {} |