GO-2021-0264

See a problem?

Source

https://pkg.go.dev/vuln/GO-2021-0264

Import Source

https://vuln.go.dev/ID/GO-2021-0264.json

JSON Data

https://api.osv.dev/v1/vulns/GO-2021-0264

Aliases

Published

2022-01-13T20:54:43Z

Modified

2024-05-20T16:03:47Z

Summary

Panic when opening certain archives in archive/zip

Details

Previously, opening a zip with (*Reader).Open could result in a panic if the zip contained a file whose name was exclusively made up of slash characters or ".." path elements.

Open could also panic if passed the empty string directly as an argument.

Now, any files in the zip whose name could not be made valid for fs.FS.Open will be skipped, and no longer added to the fs.FS file list, although they are still accessible through (*Reader).File.

Note that it was already the case that a file could be accessible from (Reader).Open with a name different from the one in (Reader).File, as the former is the cleaned name, while the latter is the original one.

Finally, the actual panic site was made robust as a defense-in-depth measure.

References

Credits

- Colin Arnott (SiteHost)
- Noah Santschi-Cooney (Sourcegraph Code Intelligence Team)

Affected packages

Go / stdlib

Package

Name: stdlib; View open source insights on deps.dev
Purl: pkg:golang/stdlib

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.16.10

Introduced

1.17.0-0

Fixed

1.17.3

Ecosystem specific

{
    "imports": [
        {
            "path": "archive/zip",
            "symbols": [
                "Reader.Open",
                "split"
            ]
        }
    ]
}