cmd/go: check pattern for utf8 validity before call regexp.MustCompile

fengyoulin · matloob · commit cbdad4fc3cec · 2025-09-16T12:31:12.000-07:00
Do not panic if the package path or the package version contains invalid UTF-8 characters. Fixes #75251 Change-Id: Ib787e74277cf814253857b911d378ea5e53d8824 Reviewed-on: https://go-review.googlesource.com/c/go/+/700815 Reviewed-by: Michael Matloob <matloob@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Ian Alexander <jitsu@google.com> Reviewed-by: Michael Matloob <matloob@golang.org>
diff --git a/src/cmd/go/internal/modget/query.go b/src/cmd/go/internal/modget/query.go
@@ -10,6 +10,7 @@ import (
 	"regexp"
 	"strings"
 	"sync"
+	"unicode/utf8"
 
 	"cmd/go/internal/base"
 	"cmd/go/internal/gover"
@@ -285,6 +286,11 @@ func reportError(q *query, err error) {
 	// TODO(bcmills): Use errors.As to unpack these errors instead of parsing
 	// strings with regular expressions.
 
+	if !utf8.ValidString(q.pattern) || !utf8.ValidString(q.version) {
+		base.Errorf("go: %s", errStr)
+		return
+	}
+
 	patternRE := regexp.MustCompile("(?m)(?:[ \t(\"`]|^)" + regexp.QuoteMeta(q.pattern) + "(?:[ @:;)\"`]|$)")
 	if patternRE.MatchString(errStr) {
 		if q.rawVersion == "" {
diff --git a/src/cmd/go/testdata/script/get_panic_issue75251.txt b/src/cmd/go/testdata/script/get_panic_issue75251.txt
@@ -0,0 +1,16 @@
+# Issue #75251: Don't panic if the package path or the package version
+# contains invalid UTF-8 characters.
+
+go mod init m
+
+! go get golang.org/x/net/http/httpguts�v0.43.0 # contains 0xff byte
+! stderr panic
+stderr 'malformed module path'
+
+! go get golang.org/x/net/http/httpguts�@v0.43.0 # contains 0xff byte
+! stderr panic
+stderr 'malformed module path'
+
+! go get golang.org/x/net/http/httpguts@�v0.43.0 # contains 0xff byte
+! stderr panic
+stderr 'disallowed version string'
diff --git a/src/cmd/internal/pkgpattern/pkgpattern.go b/src/cmd/internal/pkgpattern/pkgpattern.go
@@ -7,6 +7,7 @@ package pkgpattern
 import (
 	"regexp"
 	"strings"
+	"unicode/utf8"
 )
 
 // Note: most of this code was originally part of the cmd/go/internal/search
@@ -71,7 +72,7 @@ func matchPatternInternal(pattern string, vendorExclude bool) func(name string)
 
 	const vendorChar = "\x00"
 
-	if vendorExclude && strings.Contains(pattern, vendorChar) {
+	if vendorExclude && strings.Contains(pattern, vendorChar) || !utf8.ValidString(pattern) {
 		return func(name string) bool { return false }
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -7,6 +7,7 @@ package pkgpattern`
`7`	`7`	`import (`
`8`	`8`	`"regexp"`
`9`	`9`	`"strings"`
	`10`	`+ "unicode/utf8"`
`10`	`11`	`)`
`11`	`12`
`12`	`13`	`// Note: most of this code was originally part of the cmd/go/internal/search`
`@@ -71,7 +72,7 @@ func matchPatternInternal(pattern string, vendorExclude bool) func(name string)`
`71`	`72`
`72`	`73`	`const vendorChar = "\x00"`
`73`	`74`
`74`		`- if vendorExclude && strings.Contains(pattern, vendorChar) {`
	`75`	`+ if vendorExclude && strings.Contains(pattern, vendorChar) \|\| !utf8.ValidString(pattern) {`
`75`	`76`	`return func(name string) bool { return false }`
`76`	`77`	`}`
`77`	`78`