Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

os: package variables can be subverted #7885

Closed
gopherbot opened this issue Apr 28, 2014 · 6 comments
Closed

os: package variables can be subverted #7885

gopherbot opened this issue Apr 28, 2014 · 6 comments

Comments

@gopherbot
Copy link

@gopherbot gopherbot commented Apr 28, 2014

by glyn.normington:

It is possible to subvert the behaviour of system packages by overwriting their
variables. For instance, it is possible to set the value of os.ErrPermission. This
should not be allowed as it may cause a security exposures and break existing contracts.

See this for an example: http://play.golang.org/p/PQPr9jcLqU
@cznic
Copy link
Contributor

@cznic cznic commented Apr 28, 2014

Comment 1:

Is there a specific language change proposal available? If so -> ML.
@gopherbot
Copy link
Author

@gopherbot gopherbot commented Apr 28, 2014

Comment 2 by glyn.normington:

No language change is proposed. Removing all variables from system packages would be a
sufficient, albeit disruptive, fix.
(Broading the meaning of const may be a possible solution too, but I'll leave that to
the experts to decide.)
@ianlancetaylor
Copy link
Contributor

@ianlancetaylor ianlancetaylor commented Apr 28, 2014

Comment 3:

This is not a security issue in the usual sense.  It permits your source code to do bad
things--but your source code can already import unsafe.

Labels changed: added repo-main, release-none.

Status changed to Thinking.

@gopherbot
Copy link
Author

@gopherbot gopherbot commented Apr 29, 2014

Comment 4 by glyn.normington:

Agreed it's not a conventional security issue.
BTW an alternative error idiom which avoid this issue is described here (although ignore
the use of stack traces which wouldn't necessarily be applicable to system libraries):
http://underlap.blogspot.co.uk/2014/04/better-golang-error-idiom.html
@rsc rsc added this to the Unplanned milestone Apr 10, 2015
@rsc rsc removed release-none labels Apr 10, 2015
@ysmolsky
Copy link
Member

@ysmolsky ysmolsky commented Nov 6, 2018

@ianlancetaylor do you think we can close it? I do not see any value here.

@ysmolsky ysmolsky added WaitingForInfo and removed Thinking labels Nov 6, 2018
@ianlancetaylor
Copy link
Contributor

@ianlancetaylor ianlancetaylor commented Nov 6, 2018

I agree: there is no proposal here. The specific problem mentioned could be addressed by, say, #6836. Closing this one.

Thanks for looking at these old issues.

@golang golang locked and limited conversation to collaborators Nov 6, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
5 participants
You can’t perform that action at this time.