On Wed, Feb 23, 2022 at 8:04 PM Mine GO BOOM <minegob...@gmail.com> wrote:
> The core library should be safe and strict. It wouldn't be hard to clone > the library and make a more lenient version to be used by people who like > to append zip files to the end of images > <https://wiki.linuxquestions.org/wiki/Embed_a_zip_file_into_an_image>. > That should only be supported by whatever code opens the image file -- not a Go package (whether part of the Go stdlib or a third-party package) that reads "zip" files. The code reading that image file should only pass the "zip" content to the Zip format decoder if it has some confidence the content is in the "zip" format. And the Zip format decoder should still report an error if the content is not valid according to the specification. > On Wednesday, February 23, 2022 at 6:37:25 PM UTC-8 Kurtis Rader wrote: > >> On Wed, Feb 23, 2022 at 6:17 PM Pablo Caballero <pdc...@gmail.com> wrote: >> >>> The file you are trying to unzip contains "garbage" at the beginning. >>> >> >> That garbage looks like the sort of HTTP transaction information you'll >> get from `curl -v` or something similar. In other words, someone >> inadvertently inserted "garbage" either when uploading the zip file that >> David downloaded or by someone, or some tool, on David's end when they >> downloaded the zip file. Regardless, I don't think the Go zip package >> should silently ignore the unexpected bytes and would argue it's wrong for >> the Java implementation to do so. Whether the Go zip package should search >> for the start of the zip signature by skipping the unexpected prefix bytes >> and returning some indication it had done so is debatable. My vote is no. >> That sort of behavior is far too easy to result in an exploitable security >> vulnerability. >> > -- Kurtis Rader Caretaker of the exceptional canines Junior and Hank -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/CABx2%3DD_uFJbTkzsBBfmXSd8sxS2ZHiqHsdO7NHcQvkuN6PY6TA%40mail.gmail.com.
