Skip to content

cmd/go: toolchain directive can point to file relative to go.mod with ADS on windows #71470

New issue
New issue
Open
Open
cmd/go: toolchain directive can point to file relative to go.mod with ADS on windows#71470
Assignees
matloob
Labels
GoCommandcmd/goNeedsInvestigationSomeone must examine and confirm this is a valid issue and not a duplicate of an existing one.OS-WindowsSecurity
@rolandshoemaker

Description

@rolandshoemaker
rolandshoemaker
opened on Jan 28, 2025

Due to #71469, a toolchain directive with a ADS suffix (e.g. toolchain go1.25-:alt), can result in the toolchain attempting to execute a files alternate data stream that is located alongside the go.mod file.

Since it's somewhat complex to create a file with ADS, and as far as we could tell no source control software supports it, while clearly unexpected, we do not consider this significantly dangerous.

This is a PUBLIC track security issue per our security policy.

Thanks to Juho Forsén for reporting this issue.

Metadata

Metadata

Assignees

Labels

GoCommandcmd/goNeedsInvestigationSomeone must examine and confirm this is a valid issue and not a duplicate of an existing one.OS-WindowsSecurity

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions