1
0
mirror of https://github.com/golang/go synced 2024-11-24 06:50:17 -07:00
The Go programming language
Go to file
Jason7602 b24687394b archive/zip: don't panic on (*Reader).Open
Previously, opening a zip with (*Reader).Open could result in a panic if
the zip contained a file whose name was exclusively made up of slash
characters or ".." path elements.

Open could also panic if passed the empty string directly as an argument.

Now, any files in the zip whose name could not be made valid for
fs.FS.Open will be skipped, and no longer added to the fs.FS file list,
although they are still accessible through (*Reader).File.

Note that it was already the case that a file could be accessible from
(*Reader).Open with a name different from the one in (*Reader).File, as
the former is the cleaned name, while the latter is the original one.

Finally, made the actual panic site robust as a defense-in-depth measure.

Fixes CVE-2021-41772
Fixes #48085

Co-authored-by: Filippo Valsorda <filippo@golang.org>
Change-Id: I6271a3f2892e7746f52e213b8eba9a1bba974678
Reviewed-on: https://go-review.googlesource.com/c/go/+/349770
Run-TryBot: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Katie Hockman <katie@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Trust: Katie Hockman <katie@golang.org>
Trust: Julie Qiu <julie@golang.org>
2021-11-02 20:47:30 +00:00
.github .github: update IRC server 2021-09-30 19:56:27 +00:00
api cmd/go: stamp VCS revision and uncommitted status into binaries 2021-10-14 18:44:37 +00:00
doc doc/go1.18: add net/netip 2021-11-02 06:20:21 +00:00
lib/time lib/time: fix RFC 6557 url 2021-08-15 02:18:46 +00:00
misc cmd/dist: add asan tests in misc/cgo/testsanitizers package 2021-11-02 06:21:44 +00:00
src archive/zip: don't panic on (*Reader).Open 2021-11-02 20:47:30 +00:00
test cmd/compile: mark type descriptors as always dupok 2021-11-02 18:31:53 +00:00
.gitattributes
.gitignore internal/buildcfg: move build configuration out of cmd/internal/objabi 2021-04-16 19:20:53 +00:00
AUTHORS A+C: add Leonard Wang (individual CLA) 2021-11-02 06:25:39 +00:00
codereview.cfg
CONTRIBUTING.md
CONTRIBUTORS A+C: add Leonard Wang (individual CLA) 2021-11-02 06:25:39 +00:00
LICENSE
PATENTS
README.md README.md: update contribute URL 2021-09-30 13:33:21 +00:00
SECURITY.md

The Go Programming Language

Go is an open source programming language that makes it easy to build simple, reliable, and efficient software.

Gopher image Gopher image by Renee French, licensed under Creative Commons 3.0 Attributions license.

Our canonical Git repository is located at https://go.googlesource.com/go. There is a mirror of the repository at https://github.com/golang/go.

Unless otherwise noted, the Go source files are distributed under the BSD-style license found in the LICENSE file.

Download and Install

Binary Distributions

Official binary distributions are available at https://golang.org/dl/.

After downloading a binary release, visit https://golang.org/doc/install for installation instructions.

Install From Source

If a binary distribution is not available for your combination of operating system and architecture, visit https://golang.org/doc/install/source for source installation instructions.

Contributing

Go is the work of thousands of contributors. We appreciate your help!

To contribute, please read the contribution guidelines at https://golang.org/doc/contribute.

Note that the Go project uses the issue tracker for bug reports and proposals only. See https://golang.org/wiki/Questions for a list of places to ask questions about the Go language.