Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

text/template: access to methods that are not part of interface #35198

Open
sorcix opened this issue Oct 27, 2019 · 2 comments
Open

text/template: access to methods that are not part of interface #35198

sorcix opened this issue Oct 27, 2019 · 2 comments
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
Unplanned

Comments

@sorcix
Copy link

sorcix commented Oct 27, 2019

What version of Go are you using (go version)?

$ go version
go version go1.13.3 linux/amd64

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/home/vic/.cache/go-build"
GOENV="/home/vic/.config/go/env"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/home/vic/Go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/lib/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/lib/go/pkg/tool/linux_amd64"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build611773016=/tmp/go-build -gno-record-gcc-switches"
GOROOT/bin/go version: go version go1.13.3 linux/amd64
GOROOT/bin/go tool compile -V: compile version go1.13.3
uname -sr: Linux 5.3.6-arch1-1-ARCH
LSB Version:	1.4
Distributor ID:	Arch
Description:	Arch Linux
Release:	rolling
Codename:	n/a
/usr/lib/libc.so.6: GNU C Library (GNU libc) stable release version 2.30.

What did you do?

I executed a text/template.Template with an interface as data.

Example code
package main

import (
	"os"
	"text/template"
)

type Foo struct {
	A int
}

func (f Foo) B() int {
	return 2
}

func (f Foo) C() int {
	return 3
}

type Bar interface {
	C() int
}

func main() {
	foo := Foo{A: 1}
	test(foo)
}

func test(bar Bar) {
	tpl := template.Must(template.New("template").Parse("{{ .A }} {{ .B }} {{ .C }}"))
	tpl.Execute(os.Stdout, bar)
}

On play: https://play.golang.org/p/YgMyBPie8kw

What did you expect to see?

My template is using functions that don't exist in the interface, thus I was expecting an error.

What did you see instead?

The template is able to execute functions on the underlying type, exposing functionality I don't want to expose.

I believe the text/template package actually behaved as I would expect in the past. I think the functionality was changed in 167a712.
@mvdan
Copy link
Member

mvdan commented Oct 28, 2019

Have you been able to verify if old versions of Go behave differently here?

If so, could you use a git bisect to see what commit changed the logic? That can be a good starting point to see if the change was on purpose or not.

@dmitshur dmitshur added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Oct 29, 2019
@sorcix
Copy link
Author

sorcix commented Oct 29, 2019

I've found this question on Stack Overflow that indicates that it was different. The code listed in the answer there was removed in 167a712, and checked for an empty interface{} vs an interface that had methods, right? I hope to have time next weekend to try out some older Go versions.

Apart from how older versions behaved, it's weird to explicitly pass an interface as data to a template and see it being ignored and the underlying type used instead. It could even be a security issue, as templates have access to more than was intended. (The html/template documentation states "this package assumes that template authors are trusted", but the text/template documentation does not.)

@seankhliao seankhliao added this to the Unplanned milestone Aug 27, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Projects
None yet
Milestone
Unplanned
Development

No branches or pull requests
4 participants
@sorcix @dmitshur @mvdan @seankhliao