[release-branch.go1.11-security] cmd/go/internal/get: reject Windows …

…shortnames as path components Change-Id: Ia32d8ec1fc0c4e242f50d8871c0ef3ce315f3c65 Reviewed-on: https://team-review.git.corp.google.com/c/370572 Reviewed-by: Dmitri Shuralyov <[email protected]>
golang · Dec 7, 2018 · 5aedc8a · 5aedc8a
1 parent 8954add
commit 5aedc8a
Show file tree

Hide file tree

Showing 2 changed files with 41 additions and 1 deletion.
diff --git a/src/cmd/go/internal/get/path.go b/src/cmd/go/internal/get/path.go
@@ -11,7 +11,8 @@ import (
 	"unicode/utf8"
 )
 
-// The following functions are copied verbatim from cmd/go/internal/module/module.go.
+// The following functions are copied verbatim from cmd/go/internal/module/module.go,
+// with one change to additionally reject Windows short-names.
 //
 // TODO(bcmills): After the call site for this function is backported,
 // consolidate this back down to a single copy.
@@ -76,6 +77,7 @@ func checkElem(elem string, fileName bool) error {
 	if elem[len(elem)-1] == '.' {
 		return fmt.Errorf("trailing dot in path element")
 	}
+
 	charOK := pathOK
 	if fileName {
 		charOK = fileNameOK
@@ -97,6 +99,23 @@ func checkElem(elem string, fileName bool) error {
 			return fmt.Errorf("disallowed path element %q", elem)
 		}
 	}
+
+	// Reject path components that look like Windows short-names.
+	// Those usually end in a tilde followed by one or more ASCII digits.
+	if tilde := strings.LastIndexByte(short, '~'); tilde >= 0 && tilde < len(short)-1 {
+		suffix := short[tilde+1:]
+		suffixIsDigits := true
+		for _, r := range suffix {
+			if r < '0' || r > '9' {
+				suffixIsDigits = false
+				break
+			}
+		}
+		if suffixIsDigits {
+			return fmt.Errorf("trailing tilde and digits in path element")
+		}
+	}
+
 	return nil
 }
 

diff --git a/src/cmd/go/testdata/script/get_tilde.txt b/src/cmd/go/testdata/script/get_tilde.txt
@@ -0,0 +1,21 @@
+# Paths containing windows short names should be rejected before attempting to fetch.
+! go get example.com/longna~1.dir/thing
+stderr 'trailing tilde and digits'
+! go get example.com/longna~1/thing
+stderr 'trailing tilde and digits'
+! go get example.com/~9999999/thing
+stderr 'trailing tilde and digits'
+
+# A path containing an element that is just a tilde, or a tilde followed by non-digits,
+# should attempt to resolve.
+! go get example.com/~glenda/notfound
+! stderr 'trailing tilde and digits'
+stderr 'unrecognized import path'
+
+! go get example.com/~glenda2/notfound
+! stderr 'trailing tilde and digits'
+stderr 'unrecognized import path'
+
+! go get example.com/~/notfound
+! stderr 'trailing tilde and digits'
+stderr 'unrecognized import path'