The core library should be safe and strict. It wouldn't be hard to clone the library and make a more lenient version to be used by people who like to append zip files to the end of images <https://wiki.linuxquestions.org/wiki/Embed_a_zip_file_into_an_image>.
On Wednesday, February 23, 2022 at 6:37:25 PM UTC-8 Kurtis Rader wrote: > On Wed, Feb 23, 2022 at 6:17 PM Pablo Caballero <pdc...@gmail.com> wrote: > >> The file you are trying to unzip contains "garbage" at the beginning. >> > > That garbage looks like the sort of HTTP transaction information you'll > get from `curl -v` or something similar. In other words, someone > inadvertently inserted "garbage" either when uploading the zip file that > David downloaded or by someone, or some tool, on David's end when they > downloaded the zip file. Regardless, I don't think the Go zip package > should silently ignore the unexpected bytes and would argue it's wrong for > the Java implementation to do so. Whether the Go zip package should search > for the start of the zip signature by skipping the unexpected prefix bytes > and returning some indication it had done so is debatable. My vote is no. > That sort of behavior is far too easy to result in an exploitable security > vulnerability. > > -- > Kurtis Rader > Caretaker of the exceptional canines Junior and Hank > -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/15ec3ffe-0eee-49a2-9f4c-325436c1329fn%40googlegroups.com.
