Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

archive/zip: Writer should validate file validity #17402

Closed
dsnet opened this issue Oct 11, 2016 · 2 comments
Closed

archive/zip: Writer should validate file validity #17402

dsnet opened this issue Oct 11, 2016 · 2 comments
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done.
Milestone

Comments

@dsnet
Copy link
Member

dsnet commented Oct 11, 2016

The ZIP format uses uint16 to contain the length of the file name and the length of the Extra section. We should verify that that the length of these fields fits in an uint16 prior to writing the ZIP file.

See

b.uint16(uint16(len(h.Name)))
b.uint16(uint16(len(h.Extra)))
if _, err := w.Write(buf[:]); err != nil {
return err
}
if _, err := io.WriteString(w, h.Name); err != nil {
return err
}
_, err := w.Write(h.Extra)

@dsnet dsnet added this to the Go1.8Maybe milestone Oct 11, 2016
@dsnet dsnet self-assigned this Oct 11, 2016
@quentinmit quentinmit added the NeedsFix The path to resolution is known, but the work has not been done. label Oct 11, 2016
@dsnet dsnet modified the milestones: Go1.9, Go1.8Maybe Oct 14, 2016
@dsnet dsnet modified the milestones: Go1.10, Go1.9 May 22, 2017
@dsnet
Copy link
Member Author

dsnet commented Jul 15, 2017

\cc @audreylim

@dsnet dsnet removed their assignment Jul 15, 2017
@gopherbot
Copy link

CL https://golang.org/cl/50250 mentions this issue.

@golang golang locked and limited conversation to collaborators Aug 13, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done.
Projects
None yet
Development

No branches or pull requests

3 participants