blob: 56c67f5fde8d20bbd1d11068b28998af06e7c342 [file] [log] [blame]
package: archive/zip
stdlib: true
versions:
- introduced: go1.16
fixed: go1.16.1
description: |
Using Reader.Open on an archive containing a file with a path
prefixed by "../" will cause a panic due to a stack overflow.
If parsing user supplied archives, this may be used as a
denial of service vector.
published: 2021-04-14T12:00:00Z
cve: CVE-2021-27919
symbols:
- toValidName
links:
pr: https://go-review.googlesource.com/c/go/+/300489
commit: https://github.com/golang/go/commit/cd3b4ca9f20fd14187ed4cdfdee1a02ea87e5cd8
context:
- https://github.com/golang/go/issues/44916