[release-branch.go1.16-security] archive/zip: fix panic in Reader.Open - go

diff options

author	Roland Shoemaker <roland@golang.org>	2021-03-02 10:00:53 -0800
committer	Katie Hockman <katiehockman@google.com>	2021-03-09 17:55:16 +0000
commit	634d28d78ccbeb6e86f8bfeba030ea8be518f8fa (patch)
tree	a3900a10b13f77f9665cdd6d36ec29f79d20235a /VERSION
parent	d86e53e896eca907ad67300c0bb495e3dd925358 (diff)
download	go-634d28d78ccbeb6e86f8bfeba030ea8be518f8fa.tar.gz go-634d28d78ccbeb6e86f8bfeba030ea8be518f8fa.zip

[release-branch.go1.16-security] archive/zip: fix panic in Reader.Open

When operating on a Zip file that contains a file prefixed with "../", Open(...) would cause a panic in toValidName when attempting to strip the prefixed path components. Fixes CVE-2021-27919 Change-Id: Ic755d8126cb0897e2cbbdacf572439c38dde7b35 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1004761 Reviewed-by: Filippo Valsorda <valsorda@google.com> Reviewed-by: Russ Cox <rsc@google.com> Reviewed-by: Katie Hockman <katiehockman@google.com> (cherry picked from commit ce22003b26eaf8e4a690757f699aae7062d41472) Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1013753 Reviewed-by: Roland Shoemaker <bracewell@google.com>

Diffstat (limited to 'VERSION')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: