You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The Hangul filler codepoints (U+115F, U+1160, U+3164) are rendered as zero-width white space as specified by the Unicode standard. And they are allowed in Go import paths.
Those codepoints could be used maliciously to make a malicious package/module appear like a legitimate package/module.
I propose to forbid those codepoints in Go import paths (packages, modules) as well as any Unicode codepoint that is rendered as zero-width whitespace.
Related: #40717 (disallow Hangul filler in Go identifiers)
What version of Go are you using (go version)?
$ go version
1.4.6
Does this issue reproduce with the latest release?
package main
import (
"play.ground/ᅟ"
)
funcmain() {
ᅟ.Fooᅟ()
}
--go.mod--moduleplay.ground--ᅟ/ᅟ.go--package ᅟ
import"fmt"funcFooᅟ() {
fmt.Println("This function lives in an another file!")
}
What did you expect to see?
Import failure.
What did you see instead?
Code compiles and runs fine.
The text was updated successfully, but these errors were encountered:
The Go module system already disallows all non-ASCII import paths during go get,
precisely because Unicode has many subtleties that we are avoiding for the moment.
I don't believe there's anything to fix here at the moment.
If you create files with "interesting" names on your local file system, that's up to you.
And published import paths don't have this problem.
rsc
changed the title
Proposal: disallow Hangul filler codepoints in import paths
proposal: cmd/go: disallow Hangul filler codepoints in import paths
Aug 12, 2020
The Hangul filler codepoints (U+115F, U+1160, U+3164) are rendered as zero-width white space as specified by the Unicode standard. And they are allowed in Go import paths.
Those codepoints could be used maliciously to make a malicious package/module appear like a legitimate package/module.
I propose to forbid those codepoints in Go import paths (packages, modules) as well as any Unicode codepoint that is rendered as zero-width whitespace.
Related: #40717 (disallow Hangul filler in Go identifiers)
What version of Go are you using (
go version
)?Does this issue reproduce with the latest release?
yes
What did you do?
Go Playground: https://play.golang.org/p/EYIrCh9XtI_u
What did you expect to see?
Import failure.
What did you see instead?
Code compiles and runs fine.
The text was updated successfully, but these errors were encountered: