archive/zip: warn about FileHeader.Name being unvalidated on read

Updates #25849

Change-Id: I09ee928b462ab538a9d38c4e317eaeb8856919f2
Reviewed-on: https://go-review.googlesource.com/118335
Reviewed-by: Joe Tsai <thebrokentoaster@gmail.com>

1 files changed, 9 insertions, 1 deletions

diff --git a/src/archive/zip/struct.go b/src/archive/zip/struct.go
index c545c5b830..c90151d9d4 100644
--- a/src/archive/zip/struct.go
+++ b/src/archive/zip/struct.go
@@ -81,9 +81,17 @@ const (
 // See the zip spec for details.
 type FileHeader struct {
 	// Name is the name of the file.
-	// It must be a relative path, not start with a drive letter (e.g. C:),
+	//
+	// It must be a relative path, not start with a drive letter (such as "C:"),
 	// and must use forward slashes instead of back slashes. A trailing slash
 	// indicates that this file is a directory and should have no data.
+	//
+	// When reading zip files, the Name field is populated from
+	// the zip file directly and is not validated for correctness.
+	// It is the caller's responsibility to sanitize it as
+	// appropriate, including canonicalizing slash directions,
+	// validating that paths are relative, and preventing path
+	// traversal through filenames ("../../../").
 	Name string
 
 	// Comment is any arbitrary user-defined string shorter than 64KiB.