當我們在go項目中使用C庫,或者引用的第三方庫有使用C庫,有時候會遇到 invalid flag in #cgo LDFLAGS: -w 這種錯誤。
這是因為在項目代碼中,使用了#cgo指令符(directive),對C/C++編譯器添加了 CFLAGS、 CPPFLAGS、CXXFLAGS 、LDFLAGS 等選項設置。
例如github.com/spacemonkeygo/openssl庫的build.go中,則對各個特定平台的C/C++編譯器,設置了不同的編譯約束參數:
package openssl
// #cgo pkg-config: libssl libcrypto
// #cgo linux CFLAGS: -Wno-deprecated-declarations
// #cgo darwin CFLAGS: -I/usr/local/opt/openssl@1.1/include -I/usr/local/opt/openssl/include -Wno-deprecated-declarations
// #cgo darwin LDFLAGS: -w -L/usr/local/opt/openssl@1.1/lib -L/usr/local/opt/openssl/lib
// #cgo windows CFLAGS: -DWIN32_LEAN_AND_MEAN
import "C"
當我們使用go版本在1.10及其以上版本進行項目編譯的時候,則會提示如下錯誤:
go build xxxx/vendor/github.com/spacemonkeygo/openssl: invalid flag in #cgo LDFLAGS: -w
原因是golang為了安全,在使用go get,go build和friends期間,禁止編譯器/鏈接器使用LDFLAGS等連接參數,目的是防止編譯器被攻擊。
如果要使用LDFLAGS等連接參數,我們需要手動指定CGO_LDFLAGS_ALLOW等參數,例如:CGO_LDFLAGS_ALLOW='-w'。
因此在命令行編譯的時候,使用:
CGO_LDFLAGS_ALLOW='-w' go rum main.go
或者在IDE工具中,添加如上環境變量即可。
相關文章:https://github.com/golang/go/wiki/InvalidFlag
相關內容
InvalidFlag
Eddie Webb edited this page on 27 Feb 2019 · 2 revisions
invalid flag in #cgo CFLAGS
This page describes the background for build errors like invalid flag in #cgo CFLAGS and what you can do about them.
CVE-2018-6574 described a potential security violation in the go tool: running go get downloads and builds Go code from the Internet, Go code that uses cgo can specify options to pass to the compiler, so careful use of -fplugin can cause go get to execute arbitrary code. While it is difficult to block every possible way that the compiler might be attacked, we have chosen to block the obvious ones.
As described at issue 23672, this is done by using a safelist of compiler/linker options that are permitted during go get, go build, and friends. When cgo code tries to use to pass an option that is not on the safelist, the go tool will report an error invalid flag in #cgo CFLAGS (or #cgo LDFLAGS, pkg-config --cflags, pkg-config --ldflags, and so forth).
This safelist is new in releases 1.8.7, 1.9.4, and 1.10, and all subsequent releases.
What can I do?
If this happens to you, and the option is benign, you should do two things:
Set the environment variable CGO_CFLAGS_ALLOW (or CGO_LDFLAGS_ALLOW, CGO_CXXFLAGS_ALLOW, and so forth) to a regexp that matches the option.
File a bug requesting that the option be added to the safelist. Be sure to include the complete error message and, if possible, a description of the code you are building.
Why not use an unsafe list?
Because if some new unsafe option is added to a compiler, all existing Go releases will become immediately vulnerable.
Why not get a complete list of compiler options and safelist all of them?
Because there are hundreds of options, and there is no clear way to get a complete list. Many compiler and linker options are target dependent, and thus only reported on specific platforms or in specific configurations. The documentation is known to be incomplete.