cmd/go: check pattern for utf8 validity before call regexp.MustCompile

Do not panic if the package path or the package version contains invalid UTF-8 characters. Fixes #75251 Change-Id: Ib787e74277cf814253857b911d378ea5e53d8824 Reviewed-on: https://go-review.googlesource.com/c/go/+/700815 Reviewed-by: Michael Matloob <matloob@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Ian Alexander <jitsu@google.com> Reviewed-by: Michael Matloob <matloob@golang.org>
2025-10-19 19:13:18 +00:00 · 2025-09-04 09:17:26 +08:00 · 2025-09-04 09:17:26 +08:00 · cbdad4fc3c
commit cbdad4fc3c
parent c2d85eb999
3 changed files with 24 additions and 1 deletions
--- a/src/cmd/go/internal/modget/query.go
+++ b/src/cmd/go/internal/modget/query.go
@ -10,6 +10,7 @@ import (
 	"regexp"
 	"strings"
 	"sync"
+	"unicode/utf8"

 	"cmd/go/internal/base"
 	"cmd/go/internal/gover"
@ -285,6 +286,11 @@ func reportError(q *query, err error) {
 	// TODO(bcmills): Use errors.As to unpack these errors instead of parsing
 	// strings with regular expressions.

+	if !utf8.ValidString(q.pattern) || !utf8.ValidString(q.version) {
+		base.Errorf("go: %s", errStr)
+		return
+	}
+
 	patternRE := regexp.MustCompile("(?m)(?:[ \t(\"`]|^)" + regexp.QuoteMeta(q.pattern) + "(?:[ @:;)\"`]|$)")
 	if patternRE.MatchString(errStr) {
 		if q.rawVersion == "" {
--- a/src/cmd/go/testdata/script/get_panic_issue75251.txt
+++ b/src/cmd/go/testdata/script/get_panic_issue75251.txt
@ -0,0 +1,16 @@
+# Issue #75251: Don't panic if the package path or the package version
+# contains invalid UTF-8 characters.
+
+go mod init m
+
+! go get golang.org/x/net/http/httpgutsÿv0.43.0 # contains 0xff byte
+! stderr panic
+stderr 'malformed module path'
+
+! go get golang.org/x/net/http/httpgutsÿ@v0.43.0 # contains 0xff byte
+! stderr panic
+stderr 'malformed module path'
+
+! go get golang.org/x/net/http/httpguts@ÿv0.43.0 # contains 0xff byte
+! stderr panic
+stderr 'disallowed version string'
--- a/src/cmd/internal/pkgpattern/pkgpattern.go
+++ b/src/cmd/internal/pkgpattern/pkgpattern.go
@ -7,6 +7,7 @@ package pkgpattern
 import (
 	"regexp"
 	"strings"
+	"unicode/utf8"
 )

 // Note: most of this code was originally part of the cmd/go/internal/search
@ -71,7 +72,7 @@ func matchPatternInternal(pattern string, vendorExclude bool) func(name string)

 	const vendorChar = "\x00"

-	if vendorExclude && strings.Contains(pattern, vendorChar) {
+	if vendorExclude && strings.Contains(pattern, vendorChar) || !utf8.ValidString(pattern) {
 		return func(name string) bool { return false }
 	}