Commit 6ea3adc3 authored by Nigel Tao's avatar Nigel Tao

reflect: for struct tags, reject control chars (including tabs) in keys,

and empty keys. Also reject malformed (quoted) values.

See also https://go-review.googlesource.com/3952

Change-Id: Ice6de33b09f9904b28e410a680a90aa6c8c76fed
Reviewed-on: https://go-review.googlesource.com/3953Reviewed-by: default avatarRob Pike <r@golang.org>
parent 9209d893
...@@ -2735,6 +2735,8 @@ var tagGetTests = []struct { ...@@ -2735,6 +2735,8 @@ var tagGetTests = []struct {
{`protobuf:"PB(1,2)"`, `rotobuf`, ``}, {`protobuf:"PB(1,2)"`, `rotobuf`, ``},
{`protobuf:"PB(1,2)" json:"name"`, `json`, `name`}, {`protobuf:"PB(1,2)" json:"name"`, `json`, `name`},
{`protobuf:"PB(1,2)" json:"name"`, `protobuf`, `PB(1,2)`}, {`protobuf:"PB(1,2)" json:"name"`, `protobuf`, `PB(1,2)`},
{`k0:"values contain spaces" k1:"and\ttabs"`, "k0", "values contain spaces"},
{`k0:"values contain spaces" k1:"and\ttabs"`, "k1", "and\ttabs"},
} }
func TestTagGet(t *testing.T) { func TestTagGet(t *testing.T) {
......
...@@ -762,8 +762,11 @@ type StructTag string ...@@ -762,8 +762,11 @@ type StructTag string
// If the tag does not have the conventional format, the value // If the tag does not have the conventional format, the value
// returned by Get is unspecified. // returned by Get is unspecified.
func (tag StructTag) Get(key string) string { func (tag StructTag) Get(key string) string {
// When modifying this code, also update the validateStructTag code
// in golang.org/x/tools/cmd/vet/structtag.go.
for tag != "" { for tag != "" {
// skip leading space // Skip leading space.
i := 0 i := 0
for i < len(tag) && tag[i] == ' ' { for i < len(tag) && tag[i] == ' ' {
i++ i++
...@@ -773,19 +776,21 @@ func (tag StructTag) Get(key string) string { ...@@ -773,19 +776,21 @@ func (tag StructTag) Get(key string) string {
break break
} }
// scan to colon. // Scan to colon. A space, a quote or a control character is a syntax error.
// a space or a quote is a syntax error // Strictly speaking, control chars include the range [0x7f, 0x9f], not just
// [0x00, 0x1f], but in practice, we ignore the multi-byte control characters
// as it is simpler to inspect the tag's bytes than the tag's runes.
i = 0 i = 0
for i < len(tag) && tag[i] != ' ' && tag[i] != ':' && tag[i] != '"' { for i < len(tag) && tag[i] > ' ' && tag[i] != ':' && tag[i] != '"' && tag[i] != 0x7f {
i++ i++
} }
if i+1 >= len(tag) || tag[i] != ':' || tag[i+1] != '"' { if i == 0 || i+1 >= len(tag) || tag[i] != ':' || tag[i+1] != '"' {
break break
} }
name := string(tag[:i]) name := string(tag[:i])
tag = tag[i+1:] tag = tag[i+1:]
// scan quoted string to find value // Scan quoted string to find value.
i = 1 i = 1
for i < len(tag) && tag[i] != '"' { for i < len(tag) && tag[i] != '"' {
if tag[i] == '\\' { if tag[i] == '\\' {
...@@ -800,7 +805,10 @@ func (tag StructTag) Get(key string) string { ...@@ -800,7 +805,10 @@ func (tag StructTag) Get(key string) string {
tag = tag[i+1:] tag = tag[i+1:]
if key == name { if key == name {
value, _ := strconv.Unquote(qvalue) value, err := strconv.Unquote(qvalue)
if err != nil {
break
}
return value return value
} }
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment