Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cmd/go: whitelist @includedir@ and @libdir@ in CGO flags #24505

Closed
ancarda opened this issue Mar 23, 2018 · 4 comments
Closed

cmd/go: whitelist @includedir@ and @libdir@ in CGO flags #24505

ancarda opened this issue Mar 23, 2018 · 4 comments

Comments

@ancarda
Copy link

ancarda commented Mar 23, 2018

What version of Go are you using (go version)?

go version go1.10 linux/amd64

Does this issue reproduce with the latest release?

Yes.

What operating system and processor architecture are you using (go env)?

GOARCH="amd64"
GOBIN=""
GOCACHE="/root/.cache/go-build"
GOEXE=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOOS="linux"
GOPATH="/home/sites/go"
GORACE=""
GOROOT="/usr/local/go"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
GCCGO="gccgo"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build478259282=/tmp/go-build"

What did you do?

Running go get on the source code below will yield an error. Here is a minimal program that exhibits this behavior:

package main

import (
	"github.com/abh/geoip"
	"log"
)

func main() {
	geoip, err := geoip.OpenDb([]string{}, 0)
	log.Println(geoip)
	log.Println(err)
}

I have to get, build, and run by putting this prefix in front, or by using export:

CGO_CFLAGS_ALLOW=-I@includedir@/ CGO_LDFLAGS_ALLOW=-L@libdir@ go build

What did you expect to see?

Go get, build, and run working the same way it did in 1.9.

As is described in the InvalidFlag section on the wiki, would it be possible to have these whitelisted in Go?

What did you see instead?

$ go get
go build github.com/abh/geoip: invalid flag in pkg-config --cflags: -I@includedir@/
@ianlancetaylor ianlancetaylor changed the title Whitelist includedir and libdir in CGO flags cmd/go: whitelist @includedir@ and @libdir@ in CGO flags Mar 23, 2018
@ianlancetaylor
Copy link
Contributor

Do you actually have directories named @includedir@?

The problem with whitelisting this kind of option is that @ is treated specially by the GCC command line parser: it designates a response file, and is replaced by the contents of the file with that name. That is, it is a vector for breaking security, exactly what the whitelist is intended to prevent.

Looking at github.com/abh/geoip, it uses #cgo pkg-config: geoip. That means that cmd/go will invoke pkg-config --cflags geoip to get the compiler flags to use. On my Ubuntu system that command prints -I/usr/include/. What does it print on your system?

@ancarda
Copy link
Author

ancarda commented Mar 23, 2018

Hi,

Hmm, I didn't know @ was problematic. Unfortunately I'm not sure how else to solve this problem. I can't get builds to work without that. About your question, this is what I see when I run pkg-config:

$ pkg-config --cflags geoip
-I@includedir@/

I hope that is helpful. I am using CentOS 6.9.

@ianlancetaylor
Copy link
Contributor

Unless you actually have a directory literally named @includedir@, which is unlikely, there is something wrong with your geoip installation. Assuming it is the one that comes with CentOS, that seems like a CentOS bug., I don't see any good approach we can take. I think you will have to keep using the _ALLOW environment variables until CentOS can fix the problem.

@ancarda
Copy link
Author

ancarda commented Mar 23, 2018

Yeah, I don't have a directory called @includedir@.

I'm going to close this as I think it doesn't affect anyone else -- from what I can tell, this isn't a CentOS problem but an issue with my company's RPM server.

Thank you very much for helping me to debug this so far.

@ancarda ancarda closed this as completed Mar 23, 2018
@golang golang locked and limited conversation to collaborators Mar 23, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

3 participants