Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

proposal: cmd/go: disallow Hangul filler codepoints in import paths #40718

Closed
dolmen opened this issue Aug 12, 2020 · 2 comments
Closed

proposal: cmd/go: disallow Hangul filler codepoints in import paths #40718

dolmen opened this issue Aug 12, 2020 · 2 comments

Comments

@dolmen
Copy link
Contributor

dolmen commented Aug 12, 2020

The Hangul filler codepoints (U+115F, U+1160, U+3164) are rendered as zero-width white space as specified by the Unicode standard. And they are allowed in Go import paths.
Those codepoints could be used maliciously to make a malicious package/module appear like a legitimate package/module.

I propose to forbid those codepoints in Go import paths (packages, modules) as well as any Unicode codepoint that is rendered as zero-width whitespace.

Related: #40717 (disallow Hangul filler in Go identifiers)

What version of Go are you using (go version)?

$ go version
1.4.6

Does this issue reproduce with the latest release?

yes

What did you do?

Go Playground: https://play.golang.org/p/EYIrCh9XtI_u

package main

import (
	"play.ground/ᅟ"
)

func main() {
	.Fooᅟ()
}
-- go.mod --
module play.ground
-- /.go --
packageimport "fmt"

func Fooᅟ() {
	fmt.Println("This function lives in an another file!")
}

What did you expect to see?

Import failure.

What did you see instead?

Code compiles and runs fine.

@gopherbot gopherbot added this to the Proposal milestone Aug 12, 2020
@rsc rsc added this to Incoming in Proposals (old) Aug 12, 2020
@rsc
Copy link
Contributor

rsc commented Aug 12, 2020

The Go module system already disallows all non-ASCII import paths during go get,
precisely because Unicode has many subtleties that we are avoiding for the moment.

I don't believe there's anything to fix here at the moment.
If you create files with "interesting" names on your local file system, that's up to you.
And published import paths don't have this problem.

/cc @bcmills @jayconrod @matloob

@rsc rsc changed the title Proposal: disallow Hangul filler codepoints in import paths proposal: cmd/go: disallow Hangul filler codepoints in import paths Aug 12, 2020
@rsc
Copy link
Contributor

rsc commented Aug 12, 2020

I suggest we close this, since it doesn't affect network-downloadable packages.

@dolmen dolmen closed this as completed Aug 13, 2020
@martisch martisch removed this from Incoming in Proposals (old) Aug 14, 2020
@rsc rsc added this to Declined in Proposals (old) Aug 14, 2020
@golang golang locked and limited conversation to collaborators Aug 13, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
No open projects
Development

No branches or pull requests

3 participants