mirror of
https://github.com/golang/go
synced 2024-11-23 04:00:03 -07:00
encoding/gob: add top level security doc
Add a slightly expanded version of the Decoder type comment to the top level package doc, which explains that this package is not designed to be hardened against adversarial inputs. Change-Id: I8b83433838c8235eb06ded99041fdf726c811ee5 Reviewed-on: https://go-review.googlesource.com/c/go/+/436096 TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Roland Shoemaker <roland@golang.org> Auto-Submit: Roland Shoemaker <roland@golang.org> Reviewed-by: Damien Neil <dneil@google.com>
This commit is contained in:
parent
ffdfa9ff41
commit
13d48bb6a1
@ -276,6 +276,13 @@ document for background: https://golang.org/doc/go1compat
|
||||
|
||||
See "Gobs of data" for a design discussion of the gob wire format:
|
||||
https://blog.golang.org/gobs-of-data
|
||||
|
||||
# Security
|
||||
|
||||
This package is not designed to be hardened against adversarial inputs. In
|
||||
particular, the Decoder does only basic sanity checking on decoded input sizes,
|
||||
and its limits are not configurable. Care should be taken when decoding gob data
|
||||
from untrusted sources, which may consume significant resources.
|
||||
*/
|
||||
package gob
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user