diff options
author | Brad Fitzpatrick <bradfitz@golang.org> | 2018-06-12 19:33:23 +0000 |
---|---|---|
committer | Brad Fitzpatrick <bradfitz@golang.org> | 2018-06-13 21:57:41 +0000 |
commit | fc0e1d2b6fbcb9c27b1eed5892de62de6b1fbae6 (patch) | |
tree | 48aa82023f4811cfe53e68c4eea7b9dd5c1b3e6a /src/archive | |
parent | 1e721cfc43c4f3c4e24a386c7e283d9fec59e2f4 (diff) | |
download | go-git-fc0e1d2b6fbcb9c27b1eed5892de62de6b1fbae6.tar.gz |
archive/zip: warn about FileHeader.Name being unvalidated on read
Updates #25849
Change-Id: I09ee928b462ab538a9d38c4e317eaeb8856919f2
Reviewed-on: https://go-review.googlesource.com/118335
Reviewed-by: Joe Tsai <thebrokentoaster@gmail.com>
Diffstat (limited to 'src/archive')
-rw-r--r-- | src/archive/zip/struct.go | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/src/archive/zip/struct.go b/src/archive/zip/struct.go index c545c5b830..c90151d9d4 100644 --- a/src/archive/zip/struct.go +++ b/src/archive/zip/struct.go @@ -81,9 +81,17 @@ const ( // See the zip spec for details. type FileHeader struct { // Name is the name of the file. - // It must be a relative path, not start with a drive letter (e.g. C:), + // + // It must be a relative path, not start with a drive letter (such as "C:"), // and must use forward slashes instead of back slashes. A trailing slash // indicates that this file is a directory and should have no data. + // + // When reading zip files, the Name field is populated from + // the zip file directly and is not validated for correctness. + // It is the caller's responsibility to sanitize it as + // appropriate, including canonicalizing slash directions, + // validating that paths are relative, and preventing path + // traversal through filenames ("../../../"). Name string // Comment is any arbitrary user-defined string shorter than 64KiB. |