blob: 2742e09af88f7bc457915d1c366194bdf265b170 [file] [log] [blame]
module: std
package: archive/zip
versions:
- fixed: go1.16.10
- fixed: go1.17.3
description: |
Previously, opening a zip with (*Reader).Open could result in a panic if the
zip contained a file whose name was exclusively made up of slash characters or
".." path elements.
Open could also panic if passed the empty string directly as an argument.
Now, any files in the zip whose name could not be made valid for fs.FS.Open
will be skipped, and no longer added to the fs.FS file list, although they
are still accessible through (*Reader).File.
Note that it was already the case that a file could be accessible from
(*Reader).Open with a name different from the one in (*Reader).File, as the
former is the cleaned name, while the latter is the original one.
Finally, the actual panic site was made robust as a defense-in-depth measure.
cves:
- CVE-2021-41772
credit: Colin Arnott, SiteHost and Noah Santschi-Cooney, Sourcegraph Code Intelligence
Team
symbols:
- split
- Reader.Open
links:
pr: https://go.dev/cl/349770
commit: https://go.googlesource.com/go/+/b24687394b55a93449e2be4e6892ead58ea9a10f
context:
- https://groups.google.com/g/golang-announce/c/0fM21h43arc
- https://go.dev/issue/48085