#golang PSA: Passing global variables to user-supplied handlers is dangerous! Here's an example of how a malicious package can hijack encoding/pem. I'm sure I could find many similar vulns. https://play.golang.org/p/W5zfGFjlMSL
Show this thread
-
A variant of this is returning a global var directly from a function: https://golang.org/src/bufio/scan.go?s=11218:11227#L328 … The caller could overwrite the contents of errorRune with whatever rune they want. I can't really see how this would be exploited, but it's still dangerous.
Show this thread
Just to clarify, the problem isn't returning global variables per se, but returning *pointers to global memory*. So returning a global array is harmless, but returning a slice of that array (or a pointer to it) is not.
-
-
And this is a separate problem from being able to redefine exported global variables, like io.EOF. (Which is honestly a bigger problem than what I'm describing.) Maybe someday Go will have readonly variables, but until then, audit your dependencies!
Show this threadThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.