]> Cypherpunks repositories - gostls13.git/commit
projects / gostls13.git / commit
summary | shortlog | log | commit | commitdiff | tree
(parent: 1811aea) | patch
archive/zip: fix panic in Reader.Open
authorRoland Shoemaker <roland@golang.org>
Tue, 2 Mar 2021 18:00:53 +0000 (10:00 -0800)
committerFilippo Valsorda <filippo@golang.org>
Wed, 10 Mar 2021 18:18:28 +0000 (18:18 +0000)
commitcd3b4ca9f20fd14187ed4cdfdee1a02ea87e5cd8
tree66c94a8170569b344cf5880034a8f29d85fab86etree
parent1811aeae66bee899317403c92c83b56673919775commit | diff
archive/zip: fix panic in Reader.Open

When operating on a Zip file that contains a file prefixed with "../",
Open(...) would cause a panic in toValidName when attempting to strip
the prefixed path components.

Fixes CVE-2021-27919
Fixes #44916

Change-Id: Ic755d8126cb0897e2cbbdacf572439c38dde7b35
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1004761
Reviewed-by: Filippo Valsorda <valsorda@google.com>
Reviewed-by: Russ Cox <rsc@google.com>
Reviewed-by: Katie Hockman <katiehockman@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/300489
Trust: Katie Hockman <katie@golang.org>
Run-TryBot: Katie Hockman <katie@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Alexander Rakoczy <alex@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
src/archive/zip/reader.go diff | blob | history
src/archive/zip/reader_test.go diff | blob | history
Go GOST TLS 1.3