encoding/gob: warn about decoding data from untrusted sources

And some double space after period cleanup while I'm here. I guess my previous regexps missed these. My next cleaner should probably use go/ast instead of perl. Updates #20221 Change-Id: Idb051e7ac3a7fb1fb86e015f709e32139d065d92 Reviewed-on: https://go-review.googlesource.com/47094 Reviewed-by: Ian Lance Taylor <iant@golang.org> Reviewed-by: Rob Pike <r@golang.org>
author: Brad Fitzpatrick <bradfitz@golang.org> 2017-06-28 23:20:59 +0000
committer: Brad Fitzpatrick <bradfitz@golang.org> 2017-06-29 03:24:29 +0000
commit: 19f73a786bbded4c0e6bd5c6a640320b532d0b87 (patch)
tree: e1b5870f44b46275c0880931c77231051bc904a4 /src/encoding/gob/decoder.go
parent: 8aee0b8b32c103da416369ebd16e2c07ad99badf (diff)
download: go-19f73a786bbded4c0e6bd5c6a640320b532d0b87.tar.xz
1 files changed, 4 insertions, 0 deletions
diff --git a/src/encoding/gob/decoder.go b/src/encoding/gob/decoder.go
index c182941773..8e0b1dd375 100644
--- a/src/encoding/gob/decoder.go
+++ b/src/encoding/gob/decoder.go
@@ -19,6 +19,10 @@ const tooBig = 1 << 30
 
 // A Decoder manages the receipt of type and data information read from the
 // remote side of a connection.
+//
+// The Decoder does only basic sanity checking on decoded input sizes,
+// and its limits are not configurable. Take caution when decoding gob data
+// from untrusted sources.
 type Decoder struct {
 	mutex        sync.Mutex                              // each item must be received atomically
 	r            io.Reader                               // source of the data
author	Brad Fitzpatrick <bradfitz@golang.org>	2017-06-28 23:20:59 +0000
committer	Brad Fitzpatrick <bradfitz@golang.org>	2017-06-29 03:24:29 +0000
commit	19f73a786bbded4c0e6bd5c6a640320b532d0b87 (patch)
tree	e1b5870f44b46275c0880931c77231051bc904a4 /src/encoding/gob/decoder.go
parent	8aee0b8b32c103da416369ebd16e2c07ad99badf (diff)
download	go-19f73a786bbded4c0e6bd5c6a640320b532d0b87.tar.xz