archive/zip: fix panic in Reader.Open

When operating on a Zip file that contains a file prefixed with "../", Open(...) would cause a panic in toValidName when attempting to strip the prefixed path components. Fixes CVE-2021-27919 Fixes #44916 Change-Id: Ic755d8126cb0897e2cbbdacf572439c38dde7b35 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1004761 Reviewed-by: Filippo Valsorda <valsorda@google.com> Reviewed-by: Russ Cox <rsc@google.com> Reviewed-by: Katie Hockman <katiehockman@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/300489 Trust: Katie Hockman <katie@golang.org> Run-TryBot: Katie Hockman <katie@golang.org> TryBot-Result: Go Bot <gobot@golang.org> Reviewed-by: Alexander Rakoczy <alex@golang.org> Reviewed-by: Filippo Valsorda <filippo@golang.org>
author: Roland Shoemaker <roland@golang.org> 2021-03-02 10:00:53 -0800
committer: Filippo Valsorda <filippo@golang.org> 2021-03-10 18:18:28 +0000
commit: cd3b4ca9f20fd14187ed4cdfdee1a02ea87e5cd8 (patch)
tree: 66c94a8170569b344cf5880034a8f29d85fab86e /src/archive/zip/reader.go
parent: 1811aeae66bee899317403c92c83b56673919775 (diff)
download: go-cd3b4ca9f20fd14187ed4cdfdee1a02ea87e5cd8.tar.xz
1 files changed, 1 insertions, 1 deletions
diff --git a/src/archive/zip/reader.go b/src/archive/zip/reader.go
index 8b4e77875f..c288ad965b 100644
--- a/src/archive/zip/reader.go
+++ b/src/archive/zip/reader.go
@@ -664,7 +664,7 @@ func toValidName(name string) string {
 	if strings.HasPrefix(p, "/") {
 		p = p[len("/"):]
 	}
-	for strings.HasPrefix(name, "../") {
+	for strings.HasPrefix(p, "../") {
 		p = p[len("../"):]
 	}
 	return p
author	Roland Shoemaker <roland@golang.org>	2021-03-02 10:00:53 -0800
committer	Filippo Valsorda <filippo@golang.org>	2021-03-10 18:18:28 +0000
commit	cd3b4ca9f20fd14187ed4cdfdee1a02ea87e5cd8 (patch)
tree	66c94a8170569b344cf5880034a8f29d85fab86e /src/archive/zip/reader.go
parent	1811aeae66bee899317403c92c83b56673919775 (diff)
download	go-cd3b4ca9f20fd14187ed4cdfdee1a02ea87e5cd8.tar.xz