#golang PSA: Passing global variables to user-supplied handlers is dangerous! Here's an example of how a malicious package can hijack encoding/pem. I'm sure I could find many similar vulns. https://play.golang.org/p/W5zfGFjlMSL
Show this thread
A variant of this is returning a global var directly from a function: https://golang.org/src/bufio/scan.go?s=11218:11227#L328 … The caller could overwrite the contents of errorRune with whatever rune they want. I can't really see how this would be exploited, but it's still dangerous.
-
-
Just to clarify, the problem isn't returning global variables per se, but returning *pointers to global memory*. So returning a global array is harmless, but returning a slice of that array (or a pointer to it) is not.
Show this thread -
And this is a separate problem from being able to redefine exported global variables, like io.EOF. (Which is honestly a bigger problem than what I'm describing.) Maybe someday Go will have readonly variables, but until then, audit your dependencies!
Show this thread
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.