WingNews logo WingNews
top | item 41971076

(no title)

rsc | 1 year ago

While you can create and build a local package with U+FE0E in its file name, you cannot create or download a module using that character in a file name. So you could run this attack in someone's top-level repo but not in any of their dependencies. That's something at least.

https://go.googlesource.com/mod/+/refs/heads/master/module/m... https://go.googlesource.com/mod/+/refs/heads/master/module/m...

discuss

order

donatj|1 year ago

Huh, that gives me a little pause.

People who clone a project and compile it manually get different output than people who `go install` it?

Is that inconsistency something that … should be fixed? Seems like it should be.

rsc|1 year ago

People who go install it get an error that it's not a valid source tree at all.