diff options
author | Roland Shoemaker <roland@golang.org> | 2021-03-02 10:00:53 -0800 |
---|---|---|
committer | Katie Hockman <katiehockman@google.com> | 2021-03-09 17:55:16 +0000 |
commit | 634d28d78ccbeb6e86f8bfeba030ea8be518f8fa (patch) | |
tree | a3900a10b13f77f9665cdd6d36ec29f79d20235a /VERSION | |
parent | d86e53e896eca907ad67300c0bb495e3dd925358 (diff) | |
download | go-634d28d78ccbeb6e86f8bfeba030ea8be518f8fa.tar.gz go-634d28d78ccbeb6e86f8bfeba030ea8be518f8fa.zip |
[release-branch.go1.16-security] archive/zip: fix panic in Reader.Open
When operating on a Zip file that contains a file prefixed with "../",
Open(...) would cause a panic in toValidName when attempting to strip
the prefixed path components.
Fixes CVE-2021-27919
Change-Id: Ic755d8126cb0897e2cbbdacf572439c38dde7b35
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1004761
Reviewed-by: Filippo Valsorda <valsorda@google.com>
Reviewed-by: Russ Cox <rsc@google.com>
Reviewed-by: Katie Hockman <katiehockman@google.com>
(cherry picked from commit ce22003b26eaf8e4a690757f699aae7062d41472)
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1013753
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Diffstat (limited to 'VERSION')
0 files changed, 0 insertions, 0 deletions