gitea
gitea copied to clipboard
go-gitea
Enable gocritic equalFold and autofix issues
Enable https://go-critic.com/overview.html#equalfold, which is marked experimental, so was not enabled by default and ran make lint-go-fix. Reasons why strings.EqualFold is preferred here.
I won't block it but IMO EqualFold is not a right approach if we only want to handle ASCII chars. Sometimes it is just abused.
func TestString(t *testing.T) {
s1 := "K"
s2 := "\u212A"
assert.True(t, strings.EqualFold(s1, s2))
}
I see it as a benefit that it handles unicode as well. More often than not you want unicode comparison, especially when dealing with user-submitted data.
Why it makes sense to use Unicode for HTTP headers or something else? Doesn't it break the standard if the headers are "folded" by unicode chars?
In short:
- If we'd like to check "if the string can pass", EqualFold relaxes the charsets, it might be abused or introduce security problems.
- If we'd like to check "if the string should not pass", EqualFold make the result more strict, in most cases it should be fine.
Looks like there is a ASCII-only variant ascii.EqualFold:
https://pkg.go.dev/net/http/internal/ascii#EqualFold
Not sure if usable because its in internal namespace.
Looks like there is a ASCII-only variant
ascii.EqualFold:https://pkg.go.dev/net/http/internal/ascii#EqualFold
Yup, we need to implement one by ourself, something like "strcasecmp/stricmp" in C, or we can just call it util.AsciiEqualFold or util.StrEqualNoCase
util.AsciiEqualFold sounds good, we can use it for all the header comparisons. Maybe even open a golang issue so that they make that function part of the public API.