1
0
mirror of https://github.com/golang/go synced 2024-11-23 04:00:03 -07:00

encoding/gob: add top level security doc

Add a slightly expanded version of the Decoder type comment to the top
level package doc, which explains that this package is not designed
to be hardened against adversarial inputs.

Change-Id: I8b83433838c8235eb06ded99041fdf726c811ee5
Reviewed-on: https://go-review.googlesource.com/c/go/+/436096
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Roland Shoemaker <roland@golang.org>
Auto-Submit: Roland Shoemaker <roland@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
This commit is contained in:
Roland Shoemaker 2022-09-28 14:41:30 -07:00 committed by Gopher Robot
parent ffdfa9ff41
commit 13d48bb6a1

View File

@ -276,6 +276,13 @@ document for background: https://golang.org/doc/go1compat
See "Gobs of data" for a design discussion of the gob wire format:
https://blog.golang.org/gobs-of-data
# Security
This package is not designed to be hardened against adversarial inputs. In
particular, the Decoder does only basic sanity checking on decoded input sizes,
and its limits are not configurable. Care should be taken when decoding gob data
from untrusted sources, which may consume significant resources.
*/
package gob