Commit 634d28d7 authored by Roland Shoemaker's avatar Roland Shoemaker Committed by Katie Hockman
Browse files

[release-branch.go1.16-security] archive/zip: fix panic in Reader.Open 

When operating on a Zip file that contains a file prefixed with "../",
Open(...) would cause a panic in toValidName when attempting to strip
the prefixed path components.

Fixes CVE-2021-27919

Change-Id: Ic755d8126cb0897e2cbbdacf572439c38dde7b35
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1004761


Reviewed-by: default avatarFilippo Valsorda <valsorda@google.com>
Reviewed-by: default avatarRuss Cox <rsc@google.com>
Reviewed-by: default avatarKatie Hockman <katiehockman@google.com>
(cherry picked from commit ce22003b26eaf8e4a690757f699aae7062d41472)
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1013753


Reviewed-by: default avatarRoland Shoemaker <bracewell@google.com>
parent d86e53e8
Show whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please to comment