Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

os: UserConfigDir and UserCacheDir should disallow relative paths in the environment variables #68470

Closed
rhysd opened this issue Jul 16, 2024 · 3 comments
Labels
NeedsFix The path to resolution is known, but the work has not been done.
Milestone

Comments

@rhysd
Copy link
Contributor

rhysd commented Jul 16, 2024

Go version

go version go1.22.5 linux/amd64

Output of go env in your module/workspace:

GO111MODULE=''
GOARCH='amd64'
GOBIN=''
GOCACHE='/home/rhysd/.cache/go-build'
GOENV='/home/rhysd/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/home/rhysd/go/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/home/rhysd/go'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/snap/go/10660'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/snap/go/10660/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.22.5'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/dev/null'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build2010600332=/tmp/go-build -gno-record-gcc-switches'

What did you do?

Run the following code by go run.

package main

import "os"

func main() {
	os.Setenv("XDG_CONFIG_HOME", "hello")
	d, err := os.UserConfigDir()
	if err == nil {
		panic("unexpectedly successeded: " + d)
	}
}

And run the following code too.

package main

import "os"

func main() {
	os.Setenv("XDG_CACHE_HOME", "hello")
	d, err := os.UserCacheDir()
	if err == nil {
		panic("unexpectedly successeded: " + d)
	}
}

What did you see happen?

Both codes panicked:

panic: unexpectedly successeded: hello

goroutine 1 [running]:
main.main()
	/home/rhysd/Downloads/test.go:9 +0x68
exit status 2

What did you expect to see?

Both codes should not panic.

os.UserConfigDir and os.UserCacheDir should return errors when the corresponding XDG environment variables contain relative paths.

The documens are saying that

On Unix systems, it returns $XDG_CONFIG_HOME as specified by https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html if non-empty

However, XDG Base Directory Specification is saying that

All paths set in these environment variables must be absolute. If an implementation encounters a relative path in any of these variables it should consider the path invalid and ignore it.

So os.UserConfigDir and os.UserCacheDir don't conform the specification.

@rhysd
Copy link
Contributor Author

rhysd commented Jul 16, 2024

I'll try to make a patch for fixing this issue.

@seankhliao seankhliao changed the title os: UserConfigDir and UserCacheDir don't check relative paths in the environment variables os: UserConfigDir and UserCacheDir should disallow relative paths in the environment variables Jul 16, 2024
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/598655 mentions this issue: os: check relative paths in UserConfigDir and UserCacheDir

@seankhliao seankhliao added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Jul 16, 2024
@dmitshur dmitshur added NeedsFix The path to resolution is known, but the work has not been done. and removed NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. labels Jul 22, 2024
@dmitshur dmitshur added this to the Go1.24 milestone Jul 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
NeedsFix The path to resolution is known, but the work has not been done.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

5 participants