From 7ef6ee2c5727f0d11206b4d1866c18e6ab4785be Mon Sep 17 00:00:00 2001 From: "Bryan C. Mills" Date: Tue, 4 Dec 2018 14:37:39 -0500 Subject: [release-branch.go1.10-security] cmd/go/internal/get: reject Windows shortnames as path components Change-Id: Ia32d8ec1fc0c4e242f50d8871c0ef3ce315f3c65 Reviewed-on: https://team-review.git.corp.google.com/c/370573 Reviewed-by: Dmitri Shuralyov --- src/cmd/go/internal/get/path.go | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/src/cmd/go/internal/get/path.go b/src/cmd/go/internal/get/path.go index 2920fc2085..c8072b25fd 100644 --- a/src/cmd/go/internal/get/path.go +++ b/src/cmd/go/internal/get/path.go @@ -11,7 +11,8 @@ import ( "unicode/utf8" ) -// The following functions are copied verbatim from cmd/go/internal/module/module.go. +// The following functions are copied verbatim from cmd/go/internal/module/module.go, +// with one change to additionally reject Windows short-names. // // TODO(bcmills): After the call site for this function is backported, // consolidate this back down to a single copy. @@ -76,6 +77,7 @@ func checkElem(elem string, fileName bool) error { if elem[len(elem)-1] == '.' { return fmt.Errorf("trailing dot in path element") } + charOK := pathOK if fileName { charOK = fileNameOK @@ -97,6 +99,23 @@ func checkElem(elem string, fileName bool) error { return fmt.Errorf("disallowed path element %q", elem) } } + + // Reject path components that look like Windows short-names. + // Those usually end in a tilde followed by one or more ASCII digits. + if tilde := strings.LastIndexByte(short, '~'); tilde >= 0 && tilde < len(short)-1 { + suffix := short[tilde+1:] + suffixIsDigits := true + for _, r := range suffix { + if r < '0' || r > '9' { + suffixIsDigits = false + break + } + } + if suffixIsDigits { + return fmt.Errorf("trailing tilde and digits in path element") + } + } + return nil } -- cgit v1.2.3-54-g00ecf