archive/zip: fix panic in Reader.Open - go - Fork of Go programming language with my patches.

diff options

author	Roland Shoemaker <roland@golang.org>	2021-03-02 10:00:53 -0800
committer	Filippo Valsorda <filippo@golang.org>	2021-03-10 18:18:28 +0000
commit	cd3b4ca9f20fd14187ed4cdfdee1a02ea87e5cd8 (patch)
tree	66c94a8170569b344cf5880034a8f29d85fab86e /src/encoding
parent	1811aeae66bee899317403c92c83b56673919775 (diff)
download	go-cd3b4ca9f20fd14187ed4cdfdee1a02ea87e5cd8.tar.xz

archive/zip: fix panic in Reader.Open

When operating on a Zip file that contains a file prefixed with "../", Open(...) would cause a panic in toValidName when attempting to strip the prefixed path components. Fixes CVE-2021-27919 Fixes #44916 Change-Id: Ic755d8126cb0897e2cbbdacf572439c38dde7b35 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1004761 Reviewed-by: Filippo Valsorda <valsorda@google.com> Reviewed-by: Russ Cox <rsc@google.com> Reviewed-by: Katie Hockman <katiehockman@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/300489 Trust: Katie Hockman <katie@golang.org> Run-TryBot: Katie Hockman <katie@golang.org> TryBot-Result: Go Bot <gobot@golang.org> Reviewed-by: Alexander Rakoczy <alex@golang.org> Reviewed-by: Filippo Valsorda <filippo@golang.org>

Diffstat (limited to 'src/encoding')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: