Go: proposal: cmd/go: disallow Hangul filler codepoints in import paths
The Hangul filler codepoints (U+115F, U+1160, U+3164) are rendered as zero-width white space as specified by the Unicode standard. And they are allowed in Go import paths.
Those codepoints could be used maliciously to make a malicious package/module appear like a legitimate package/module.
I propose to forbid those codepoints in Go import paths (packages, modules) as well as any Unicode codepoint that is rendered as zero-width whitespace.
Related: #40717 (disallow Hangul filler in Go identifiers)
What version of Go are you using (go version)?
$ go version 1.4.6
Does this issue reproduce with the latest release?
yes
What did you do?
Go Playground: https://play.golang.org/p/EYIrCh9XtI_u
package main
import (
"play.ground/á…Ÿ"
)
func main() {
á…Ÿ.Fooá…Ÿ()
}
-- go.mod --
module play.ground
-- á…Ÿ/á…Ÿ.go --
package á…Ÿ
import "fmt"
func Fooá…Ÿ() {
fmt.Println("This function lives in an another file!")
}
What did you expect to see?
Import failure.
What did you see instead?
Code compiles and runs fine.
dolmen
All 2 comments
The Go module system already disallows all non-ASCII import paths during go get,
precisely because Unicode has many subtleties that we are avoiding for the moment.
I don't believe there's anything to fix here at the moment.
If you create files with "interesting" names on your local file system, that's up to you.
And published import paths don't have this problem.
/cc @bcmills @jayconrod @matloob
rsc
on 12 Aug 2020
I suggest we close this, since it doesn't affect network-downloadable packages.
rsc
on 12 Aug 2020
Related issues
go101
·
3Comments
rsc
·
3Comments
michaelsafyan
·
3Comments
longzhizhi
·
3Comments
mingrammer
·
3Comments
Most helpful comment
I suggest we close this, since it doesn't affect network-downloadable packages.