From 19f73a786bbded4c0e6bd5c6a640320b532d0b87 Mon Sep 17 00:00:00 2001
From: Brad Fitzpatrick <bradfitz@golang.org>
Date: Wed, 28 Jun 2017 23:20:59 +0000
Subject: encoding/gob: warn about decoding data from untrusted sources

And some double space after period cleanup while I'm here.
I guess my previous regexps missed these. My next cleaner should
probably use go/ast instead of perl.

Updates #20221

Change-Id: Idb051e7ac3a7fb1fb86e015f709e32139d065d92
Reviewed-on: https://go-review.googlesource.com/47094
Reviewed-by: Ian Lance Taylor <iant@golang.org>
Reviewed-by: Rob Pike <r@golang.org>
---
 src/encoding/gob/decoder.go | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'src/encoding/gob/decoder.go')

diff --git a/src/encoding/gob/decoder.go b/src/encoding/gob/decoder.go
index c182941773..8e0b1dd375 100644
--- a/src/encoding/gob/decoder.go
+++ b/src/encoding/gob/decoder.go
@@ -19,6 +19,10 @@ const tooBig = 1 << 30
 
 // A Decoder manages the receipt of type and data information read from the
 // remote side of a connection.
+//
+// The Decoder does only basic sanity checking on decoded input sizes,
+// and its limits are not configurable. Take caution when decoding gob data
+// from untrusted sources.
 type Decoder struct {
 	mutex        sync.Mutex                              // each item must be received atomically
 	r            io.Reader                               // source of the data
-- 
cgit v1.3