Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

proposal:strconv.ParseBool produces a detailed error message that points to the use of Golang #40232

Closed
sean2Yi opened this issue Jul 15, 2020 · 1 comment
Labels
Milestone

Comments

@sean2Yi
Copy link

@sean2Yi sean2Yi commented Jul 15, 2020

What version of Go are you using (go version)?

$ go version
go version go1.12.5 darwin/amd64

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GOARCH="amd64"
GOBIN=""
GOCACHE="/Users/sean/Library/Caches/go-build"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GOOS="darwin"
GOPATH="/Users/sean/go"
GOPROXY=""
GORACE=""
GOROOT="/usr/local/go"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/darwin_amd64"
GCCGO="gccgo"
CC="clang"
CXX="clang++"
CGO_ENABLED="1"
GOMOD="/Users/sean/Documents/workspace4/assets/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/2z/g1hqw0lj415_z5dlz9gxpz600000gn/T/go-build331636948=/tmp/go-build -gno-record-gcc-switches -fno-common"

What did you do?

result, err := strconv.ParseBool("test")
if err != nil {
	t.Errorf("%v", err)
}

What did you expect to see?

parsing "test": invalid syntax

What did you see instead?

strconv.ParseBool: parsing "test": invalid syntax

strconv.ParseBool produces a detailed error message that points to the use of Golang.
I suggest to remove strconv.ParseBool string from the error message due to the security vulnerability.

@sean2Yi sean2Yi changed the title security:strconv.ParseBool produces a detailed error message that points to the use of Golang proposal:strconv.ParseBool produces a detailed error message that points to the use of Golang Jul 15, 2020
@gopherbot gopherbot added this to the Proposal milestone Jul 15, 2020
@gopherbot gopherbot added the Proposal label Jul 15, 2020
@ALTree
Copy link
Member

@ALTree ALTree commented Jul 15, 2020

If you don't want this kind of detail to leak, intercept the error and print your own. But we certainly cannot change every single error the compiler, the runtime and the standard library packages print to make them not leak the fact that the binary was built using Go.

@ALTree ALTree closed this Jul 15, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants
You can’t perform that action at this time.