On Wed, Feb 23, 2022 at 6:17 PM Pablo Caballero <pdcv...@gmail.com> wrote:
> The file you are trying to unzip contains "garbage" at the beginning. > That garbage looks like the sort of HTTP transaction information you'll get from `curl -v` or something similar. In other words, someone inadvertently inserted "garbage" either when uploading the zip file that David downloaded or by someone, or some tool, on David's end when they downloaded the zip file. Regardless, I don't think the Go zip package should silently ignore the unexpected bytes and would argue it's wrong for the Java implementation to do so. Whether the Go zip package should search for the start of the zip signature by skipping the unexpected prefix bytes and returning some indication it had done so is debatable. My vote is no. That sort of behavior is far too easy to result in an exploitable security vulnerability. -- Kurtis Rader Caretaker of the exceptional canines Junior and Hank -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/CABx2%3DD8x8u_Jx0vYX_BQ6PSDx1bBS_3htaHutGLc099r%3DGVCkg%40mail.gmail.com.
