-
Notifications
You must be signed in to change notification settings - Fork 17.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
text/template: slice bounds out of range in Parse #52527
Comments
See also #52191. The lexer is due for a rewrite. |
Don't use whitespace in delimiters. I guess we could add a check for that, but it's hard to see why anybody would write it. I assume this was found by a fuzzer. |
This was indeed found by ngolo-fuzzing. |
I'm inclined to think that it's not worth adding a check to the text/template package, but I don't feel strongly about it. I think it's extremely unlikely that anybody would write code that permits the user to specify the delimiters for a text/template. If that is true, then this crash can only occur for code that deliberately itself sets the delimiters to include whitespace, and for that odd behavior I think the current panic is fine. Happy to hear other opinions. |
I'm inclined to think that we should add a check - causing a panic given some inputs which aren't documented as invalid feels like something to avoid, and the fuzzer is probably right to complain about it. But Ian is probably right that this feels like a rare possibility in practice, so I don't think we need to rush out a fix. |
I propose to deal with this while addressing #53261 |
My 2 cents : the fuzzer does not alert on a panic with a string. This way, developers can explicitly mention an unexpected behavior, and users can get a better error message ("do not use white space" looks more explicit to me than "slice bounds out of range") And no need to rush |
Fixed through #53261 |
Change https://go.dev/cl/433036 mentions this issue: |
Fixes #52527. Fixes #55336. Change-Id: I8f5c521c693e74451a558788909e7e4ad1cc797a Reviewed-on: https://go-review.googlesource.com/c/go/+/433036 Run-TryBot: Russ Cox <rsc@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Rob Pike <r@golang.org> Auto-Submit: Russ Cox <rsc@golang.org> Reviewed-by: Cherry Mui <cherryyz@google.com>
What version of Go are you using (
go version
)?Does this issue reproduce with the latest release?
Yes
What operating system and processor architecture are you using (
go env
)?go env
OutputWhat did you do?
Run https://go.dev/play/p/59OUlem1oNe?v=gotip
What did you expect to see?
The program finishing and printing somme dummy data
What did you see instead?
Found by https://github.com/catenacyber/ngolo-fuzzing on oss-fuzz
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=46746
The text was updated successfully, but these errors were encountered: