Closed catenacyber closed 1 year ago
It has nothing to do with that fix, it's just a bug. But the program is pathological, probably generated by fuzzing. Using a space as a delimiter is never going to work.
The right fix, if it's worth doing anything, is probably to restrict the character set for delims.
wasn't this fixed for #52527
I thought it was as #53261 was merged cf https://github.com/golang/go/issues/52527#issuecomment-1149430888
But it reappeared shortly after
I want to be clear that this program is not sensible and no effort should be spent to make it succeed. I believe the right fix is to reject the delimiters, whether or not the actual out-of-range bug is fixed. You're using spaces (actually the "ignore spaces" character sequence) as a delimiter, and that is going to confuse the lexer irreparably. The best this program could do, if it didn't reject the delimiters outright, is explain in the documentation that the behavior is unpredictable.
The problem becomes whether we can restrict the character set for delimiters without breaking existing code, or just document that doing this kind of thing won't work.
I thought it was as #53261 was merged cf #52527 (comment)
But it reappeared shortly after
Removing the concurrency did not address any indexing problems, it just cleaned up the interaction with the parser and sped it up. That said, it should make them easier to fix, but see my other comment. I don't want this fixed.
Change https://go.dev/cl/433036 mentions this issue: text/template/parse: fix confusion about markers near right delims
A less line-noisy example is template.New("").Delims("{{- ", " -}}").Parse("{{- x -}}")
.
Yes it's dumb, but it should probably work. I sent a trivial CL.
What version of Go are you using (
go version
)?Does this issue reproduce with the latest release?
Yes
What operating system and processor architecture are you using (
go env
)?go env
OutputWhat did you do?
Run https://go.dev/play/p/XRz1BdFwz4O?v=gotip
What did you expect to see?
The program finishing and printing somme dummy data
What did you see instead?
Found by https://github.com/catenacyber/ngolo-fuzzing on oss-fuzz https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51463
I think this was meant to be fixed by https://github.com/golang/go/issues/53261 cc @robpike