Commit b2468739 authored Sep 14, 2021 by Jason7602 Committed by Filippo Valsorda Nov 02, 2021

archive/zip: don't panic on (*Reader).Open



Previously, opening a zip with (*Reader).Open could result in a panic if
the zip contained a file whose name was exclusively made up of slash
characters or ".." path elements.

Open could also panic if passed the empty string directly as an argument.

Now, any files in the zip whose name could not be made valid for
fs.FS.Open will be skipped, and no longer added to the fs.FS file list,
although they are still accessible through (*Reader).File.

Note that it was already the case that a file could be accessible from
(*Reader).Open with a name different from the one in (*Reader).File, as
the former is the cleaned name, while the latter is the original one.

Finally, made the actual panic site robust as a defense-in-depth measure.

Fixes CVE-2021-41772
Fixes #48085

Co-authored-by: Filippo Valsorda <filippo@golang.org>
Change-Id: I6271a3f2892e7746f52e213b8eba9a1bba974678
Reviewed-on: https://go-review.googlesource.com/c/go/+/349770


Run-TryBot: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Katie Hockman <katie@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Trust: Katie Hockman <katie@golang.org>
Trust: Julie Qiu <julie@golang.org>

parent b29182b5

Show whitespace changes

Inline Side-by-side

CodeLinaro @codelinaro
mentioned in commit 88407a8d
· Feb 10, 2022

mentioned in commit 88407a8d

mentioned in commit 88407a8dd98411f1730907dc8a69b99488af0052

Toggle commit list
CodeLinaro @codelinaro
mentioned in commit b212ba68
· Feb 10, 2022

mentioned in commit b212ba68

mentioned in commit b212ba68296b503b395e7d1838ca72a19030a6bf

Toggle commit list

Please to comment