aboutsummaryrefslogtreecommitdiff
path: root/src/cmd/go/internal/work/security.go
diff options
context:
space:
mode:
Diffstat (limited to 'src/cmd/go/internal/work/security.go')
-rw-r--r--src/cmd/go/internal/work/security.go50
1 files changed, 46 insertions, 4 deletions
diff --git a/src/cmd/go/internal/work/security.go b/src/cmd/go/internal/work/security.go
index fee5beeb15..54fd6b9782 100644
--- a/src/cmd/go/internal/work/security.go
+++ b/src/cmd/go/internal/work/security.go
@@ -34,6 +34,7 @@ import (
"fmt"
"os"
"regexp"
+ "strings"
)
var re = regexp.MustCompile
@@ -45,26 +46,42 @@ var validCompilerFlags = []*regexp.Regexp{
re(`-O([^@\-].*)`),
re(`-W`),
re(`-W([^@,]+)`), // -Wall but not -Wa,-foo.
+ re(`-f(no-)?blocks`),
+ re(`-f(no-)?common`),
+ re(`-f(no-)?constant-cfstrings`),
+ re(`-f(no-)?exceptions`),
+ re(`-finput-charset=([^@\-].*)`),
+ re(`-f(no-)?lto`),
+ re(`-f(no-)?modules`),
re(`-f(no-)?objc-arc`),
re(`-f(no-)?omit-frame-pointer`),
+ re(`-f(no-)?openmp(-simd)?`),
+ re(`-f(no-)?permissive`),
re(`-f(no-)?(pic|PIC|pie|PIE)`),
+ re(`-f(no-)?rtti`),
re(`-f(no-)?split-stack`),
re(`-f(no-)?stack-(.+)`),
re(`-f(no-)?strict-aliasing`),
re(`-fsanitize=(.+)`),
re(`-g([^@\-].*)?`),
re(`-m(arch|cpu|fpu|tune)=([^@\-].*)`),
+ re(`-m(no-)?avx[0-9a-z.]*`),
+ re(`-m(no-)?ms-bitfields`),
re(`-m(no-)?stack-(.+)`),
re(`-mmacosx-(.+)`),
re(`-mnop-fun-dllimport`),
+ re(`-m(no-)?sse[0-9.]*`),
+ re(`-pedantic(-errors)?`),
+ re(`-pipe`),
re(`-pthread`),
- re(`-std=([^@\-].*)`),
+ re(`-?-std=([^@\-].*)`),
re(`-x([^@\-].*)`),
}
var validCompilerFlagsWithNextArg = []string{
"-D",
"-I",
+ "-isystem",
"-framework",
"-x",
}
@@ -79,16 +96,29 @@ var validLinkerFlags = []*regexp.Regexp{
re(`-m(arch|cpu|fpu|tune)=([^@\-].*)`),
re(`-(pic|PIC|pie|PIE)`),
re(`-pthread`),
+ re(`-?-static([-a-z0-9+]*)`),
// Note that any wildcards in -Wl need to exclude comma,
// since -Wl splits its argument at commas and passes
// them all to the linker uninterpreted. Allowing comma
// in a wildcard would allow tunnelling arbitrary additional
// linker arguments through one of these.
+ re(`-Wl,--(no-)?as-needed`),
+ re(`-Wl,-Bdynamic`),
+ re(`-Wl,-Bstatic`),
+ re(`-Wl,--disable-new-dtags`),
+ re(`-Wl,--enable-new-dtags`),
+ re(`-Wl,--end-group`),
+ re(`-Wl,-framework,[^,@\-][^,]+`),
+ re(`-Wl,-headerpad_max_install_names`),
+ re(`-Wl,--no-undefined`),
re(`-Wl,-rpath,([^,@\-][^,]+)`),
+ re(`-Wl,-search_paths_first`),
+ re(`-Wl,--start-group`),
+ re(`-Wl,-?-unresolved-symbols=[^,]+`),
re(`-Wl,--(no-)?warn-([^,]+)`),
- re(`[a-zA-Z0-9_].*\.(o|obj|dll|dylib|so)`), // direct linker inputs: x.o or libfoo.so (but not -foo.o or @foo.o)
+ re(`[a-zA-Z0-9_/].*\.(a|o|obj|dll|dylib|so)`), // direct linker inputs: x.o or libfoo.so (but not -foo.o or @foo.o)
}
var validLinkerFlagsWithNextArg = []string{
@@ -96,6 +126,7 @@ var validLinkerFlagsWithNextArg = []string{
"-l",
"-L",
"-framework",
+ "-Wl,-framework",
}
func checkCompilerFlags(name, source string, list []string) error {
@@ -147,10 +178,21 @@ Args:
i++
continue Args
}
+
+ // Permit -Wl,-framework -Wl,name.
+ if i+1 < len(list) &&
+ strings.HasPrefix(arg, "-Wl,") &&
+ strings.HasPrefix(list[i+1], "-Wl,") &&
+ load.SafeArg(list[i+1][4:]) &&
+ !strings.Contains(list[i+1][4:], ",") {
+ i++
+ continue Args
+ }
+
if i+1 < len(list) {
- return fmt.Errorf("invalid flag in %s: %s %s", source, arg, list[i+1])
+ return fmt.Errorf("invalid flag in %s: %s %s (see https://golang.org/s/invalidflag)", source, arg, list[i+1])
}
- return fmt.Errorf("invalid flag in %s: %s without argument", source, arg)
+ return fmt.Errorf("invalid flag in %s: %s without argument (see https://golang.org/s/invalidflag)", source, arg)
}
}
Bad:
7apu2bq3rhoylwmucxizk54afw5jyda7pho4j5zdcqpwkufke7zdzwad.onion