Jia Tanning Go Code

While you can create and build a local package with U+FE0E in its file name, you cannot create or download a module using that character in a file name. So you could run this attack in someone&#x27;s top-level repo but not in any of their dependencies. That&#x27;s something at least.<p><a href="https:&#x2F;&#x2F;go.googlesource.com&#x2F;mod&#x2F;+&#x2F;refs&#x2F;heads&#x2F;master&#x2F;module&#x2F;module.go#58" rel="nofollow">https:&#x2F;&#x2F;go.googlesource.com&#x2F;mod&#x2F;+&#x2F;refs&#x2F;heads&#x2F;master&#x2F;module&#x2F;m...</a> <a href="https:&#x2F;&#x2F;go.googlesource.com&#x2F;mod&#x2F;+&#x2F;refs&#x2F;heads&#x2F;master&#x2F;module&#x2F;module.go#272" rel="nofollow">https:&#x2F;&#x2F;go.googlesource.com&#x2F;mod&#x2F;+&#x2F;refs&#x2F;heads&#x2F;master&#x2F;module&#x2F;m...</a>

&gt; I am not employed at the University of Minnesota so I don’t go around sending malicious patches just to see what would happen.<p>Lol, they will never live that one down.

A vulnerability illustrated here is that of packages having global state which is both security-critical and world-mutable. Such a vulnerability exists in the standard library, most notably (crypto&#x2F;rand).Reader which is <i>usually</i> fed by the system CSPRNG but can be overwritten to any io.Reader value. There has been some discussion around different ways to address this issue, but fixing it has generally been rejected by the language maintainers, e.g. <a href="https:&#x2F;&#x2F;github.com&#x2F;golang&#x2F;go&#x2F;issues&#x2F;42713">https:&#x2F;&#x2F;github.com&#x2F;golang&#x2F;go&#x2F;issues&#x2F;42713</a>, with the argument that fixing it directly just provides an illusion of security.