[security] Forbid backslashes from occurring in project names.

This addresses an authorization bypass (which could occur only on
Windows).

A more principled way to do this would be to use `os.Root.OpenRoot`
and scope the actual filesystem operations per-domain. However, I
prototyped this and it was complicated enough that it wasn't clear
whether this would not introduce new issues.

V12-Ref: F-77209
This commit is contained in:
Catherine
2026-05-30 18:53:00 +00:00
parent ad8359c89d
commit cff4b4e41d
+1 -1
View File
@@ -83,7 +83,7 @@ func ValidateProjectName(name string) error {
return fmt.Errorf("must not start with %q", ".")
}
forbiddenChars := "%*"
forbiddenChars := "%*\\"
if strings.ContainsAny(name, forbiddenChars) {
return fmt.Errorf("must not contain any of %q", forbiddenChars)
}