cmd/go: "go mod vendor" copies/overwrites files in parent directories if module folder is in the same directory as GOPATH #30311
Labels
modules
NeedsInvestigation
Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
What version of Go are you using (
go version
)?Does this issue reproduce with the latest release?
Yes
What operating system and processor architecture are you using (
go env
)?go env
OutputWhat did you do?
Starting with a default Windows install (
GOROOT=C:\Go
,GOPATH=%USERPROFILE%\go
):Create a file in %USERPROFILE% with any of these prefixes:
go/src/cmd/go/internal/modcmd/vendor.go
Lines 143 to 153 in aab0b70
I used "LEGAL.txt".
Create a new folder in %USERPROFILE%.
I used "project".
Create a main.go in that folder that will import modules.
I used the code from https://github.com/golang/go/wiki/Modules#quick-start
Initialize the module (
go mod init mymodule
)Vendor the module (
go mod vendor
)You should see an error at this point:
go vendor: open C:\Users\LEGAL.txt: Access is denied.
This error is given because the vendoring code is attemping to copy LEGAL.txt all the way up the directory tree.
If you change your GOPATH to somewhere that has more parent folders and follow the above instructions (create
project
folder at same level asGOPATH
and include aLEGAL.txt
in one of the parent folders), you will see it will copy it up the entire directory tree until it hits an access denied error. It will also overwrite any files with the same name in any of these folders.What did you expect to see?
The command should not modify files outside of Go-related directories.
What did you see instead?
Go copies and overwrites files outside of Go-related directories.
The text was updated successfully, but these errors were encountered: