archive/zip: warn about FileHeader.Name being unvalidated on read

Updates #25849 Change-Id: I09ee928b462ab538a9d38c4e317eaeb8856919f2 Reviewed-on: https://go-review.googlesource.com/118335Reviewed-by: Joe Tsai <thebrokentoaster@gmail.com>

archive/zip: warn about FileHeader.Name being unvalidated on read
Updates #25849 Change-Id: I09ee928b462ab538a9d38c4e317eaeb8856919f2 Reviewed-on: https://go-review.googlesource.com/118335Reviewed-by: Joe Tsai <thebrokentoaster@gmail.com>
fc0e1d2b · Brad Fitzpatrick · 1e721cfc · fc0e1d2b
Commit fc0e1d2b authored Jun 12, 2018 by Brad Fitzpatrick
Hide whitespace changes
Inline Side-by-side

Showing with 9 additions and 1 deletion

struct.go src/archive/zip/struct.go +9 -1

No files found.
--- a/src/archive/zip/struct.go
+++ b/src/archive/zip/struct.go
@@ -81,9 +81,17 @@ const (
 // See the zip spec for details.
 type FileHeader struct {
 	// Name is the name of the file.
-	// It must be a relative path, not start with a drive letter (e.g. C:),
+	//
+	// It must be a relative path, not start with a drive letter (such as "C:"),
 	// and must use forward slashes instead of back slashes. A trailing slash
 	// indicates that this file is a directory and should have no data.
+	//
+	// When reading zip files, the Name field is populated from
+	// the zip file directly and is not validated for correctness.
+	// It is the caller's responsibility to sanitize it as
+	// appropriate, including canonicalizing slash directions,
+	// validating that paths are relative, and preventing path
+	// traversal through filenames ("../../../").
 	Name string

 	// Comment is any arbitrary user-defined string shorter than 64KiB.