Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

archive/zip: OpenReader does not implement GODEBUG=zipinsecurepath=0 #58641

Closed
neild opened this issue Feb 22, 2023 · 1 comment
Closed

archive/zip: OpenReader does not implement GODEBUG=zipinsecurepath=0 #58641

neild opened this issue Feb 22, 2023 · 1 comment
Assignees
@neild
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done.
Milestone
Go1.21

Comments

@neild
Copy link
Contributor

neild commented Feb 22, 2023

zip.NewReader returns ErrInsecurePath when opening a zip archive containing an insecure path and when GODEBUG=zipinsecurepath=0 is set, but we (I) overlooked OpenReader. (I thought OpenReader was implemented in terms of NewReader, but no.)
@neild neild self-assigned this Feb 22, 2023
@dmitshur dmitshur added the NeedsFix The path to resolution is known, but the work has not been done. label Feb 22, 2023
@dmitshur dmitshur added this to the Go1.21 milestone Feb 22, 2023
irsl added a commit to irsl/go-zip-openreader that referenced this issue Feb 23, 2023
@irsl
archive/zip: return ErrInsecurePath for unsafe paths by OpenReader
c749855 
zip.NewReader was recently improved to return ErrInsecurePath when insecure
entries are encountered (85a2c19).
This change adopts the same logic for the OpenReader interface as well.

Fixes golang#58641
@irsl irsl mentioned this issue Feb 23, 2023
Closed
@gopherbot
Copy link

Change https://go.dev/cl/470735 mentions this issue: archive/zip: return ErrInsecurePath for unsafe paths by OpenReader

irsl added a commit to irsl/go-zip-openreader that referenced this issue Feb 24, 2023
@irsl
archive/zip: return ErrInsecurePath for unsafe paths by OpenReader
d5c521c 
Addressing concerns raised during code review.

Fixes golang#58641
irsl added a commit to irsl/go-zip-openreader that referenced this issue Mar 6, 2023
@irsl
archive/zip: return ErrInsecurePath for unsafe paths by OpenReader
2bfca4f 
zip.NewReader was recently improved to return ErrInsecurePath when
insecure entries are encountered.
This change adopts the same logic for the OpenReader interface as well.

Fixes golang#58641
irsl added a commit to irsl/go-zip-openreader that referenced this issue Mar 6, 2023
@irsl
archive/zip: return ErrInsecurePath for unsafe paths by OpenReader
f0ca467 
zip.NewReader was recently improved to return ErrInsecurePath when
insecure entries are encountered.
This change adopts the same logic for the OpenReader interface as well.

Fixes golang#58641
irsl added a commit to irsl/go-zip-openreader that referenced this issue Mar 7, 2023
@irsl
archive/zip: return ErrInsecurePath for unsafe paths by OpenReader
68391dc 
zip.NewReader was recently improved to return ErrInsecurePath when
insecure entries are encountered.
This change adopts the same logic for the OpenReader interface as well.

Fixes golang#58641
@golang golang locked and limited conversation to collaborators Apr 4, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@neild neild

Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done.
Projects
None yet
Milestone
Go1.21
Development

Successfully merging a pull request may close this issue.

archive/zip: return ErrInsecurePath for unsafe paths by OpenReader irsl/go-zip-openreader
3 participants
@neild @dmitshur @gopherbot