Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

os: package variables can be subverted #7885

Closed
gopherbot opened this issue Apr 28, 2014 · 6 comments
Closed

os: package variables can be subverted #7885

gopherbot opened this issue Apr 28, 2014 · 6 comments
Labels
FrozenDueToAge WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided.
Milestone

Comments

@gopherbot
Copy link
Contributor

by glyn.normington:

It is possible to subvert the behaviour of system packages by overwriting their
variables. For instance, it is possible to set the value of os.ErrPermission. This
should not be allowed as it may cause a security exposures and break existing contracts.

See this for an example: http://play.golang.org/p/PQPr9jcLqU
@cznic
Copy link
Contributor

cznic commented Apr 28, 2014

Comment 1:

Is there a specific language change proposal available? If so -> ML.

@gopherbot
Copy link
Contributor Author

Comment 2 by glyn.normington:

No language change is proposed. Removing all variables from system packages would be a
sufficient, albeit disruptive, fix.
(Broading the meaning of const may be a possible solution too, but I'll leave that to
the experts to decide.)

@ianlancetaylor
Copy link
Contributor

Comment 3:

This is not a security issue in the usual sense.  It permits your source code to do bad
things--but your source code can already import unsafe.

Labels changed: added repo-main, release-none.

Status changed to Thinking.

@gopherbot
Copy link
Contributor Author

Comment 4 by glyn.normington:

Agreed it's not a conventional security issue.
BTW an alternative error idiom which avoid this issue is described here (although ignore
the use of stack traces which wouldn't necessarily be applicable to system libraries):
http://underlap.blogspot.co.uk/2014/04/better-golang-error-idiom.html

@ysmolski
Copy link
Member

ysmolski commented Nov 6, 2018

@ianlancetaylor do you think we can close it? I do not see any value here.

@ysmolski ysmolski added WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided. and removed Thinking labels Nov 6, 2018
@ianlancetaylor
Copy link
Contributor

I agree: there is no proposal here. The specific problem mentioned could be addressed by, say, #6836. Closing this one.

Thanks for looking at these old issues.

@golang golang locked and limited conversation to collaborators Nov 6, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
FrozenDueToAge WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided.
Projects
None yet
Development

No branches or pull requests

5 participants