Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Gzip header size in gzip.Reader is limited to 512 bytes #20083

Closed
dim13 opened this issue Apr 22, 2017 · 1 comment
Closed

Gzip header size in gzip.Reader is limited to 512 bytes #20083

dim13 opened this issue Apr 22, 2017 · 1 comment
Labels
FrozenDueToAge

Comments

@dim13
Copy link

dim13 commented Apr 22, 2017

What version of Go are you using (go version)?

go version go1.8.1 darwin/amd64

What operating system and processor architecture are you using (go env)?

GOARCH="amd64"
GOBIN=""
GOEXE=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GOOS="darwin"
GOPATH="/Users/quax/go"
GORACE=""
GOROOT="/usr/local/go"
GOTOOLDIR="/usr/local/go/pkg/tool/darwin_amd64"
GCCGO="gccgo"
CC="clang"
GOGCCFLAGS="-fPIC -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/xw/7wjjryrx3bd760wp0p8j5q3r0000gn/T/go-build040932696=/tmp/go-build -gno-record-gcc-switches -fno-common"
CXX="clang++"
CGO_ENABLED="1"
PKG_CONFIG="pkg-config"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"

What did you do?

package main

import (
        "compress/gzip"
        "os"
)

func main() {
        fd, err := os.Open("rfc1952.gz") // Contains long comment (> 512 byte), see attached file
        if err != nil {
                panic(err)
        }
        defer fd.Close()
        z, err := gzip.NewReader(fd)
        if err != nil {
                panic(err)
        }
        defer z.Close()
}

Sample file: rfc1952.gz (comment size 25037 bytes)

More real-life samples: OpenBSD packages contain signature in gzip header. See go-1.8.tgz (comment size 62131 bytes) and all other contemporary official packages for example.

What did you expect to see?

No error, parsed gzip header and valid reader.

What did you see instead?

Error: gzip: invalid header

Error origin:

Error cause: gzip header is read into fixed (512 bytes) buffer. However, according to rfc1952 FNAME and FCOMMENT fields are defined as variable length zero-terminated arrays without any size limits.
@dsnet
Copy link
Member

dsnet commented Apr 22, 2017

Thanks for filing. This is a dupe of #14639.

I've intentionally avoided fixing the issue because it can lead to security issues on many HTTP servers. It seems you've provided sufficient evidence that this should be fixed in some way. I'll bump the other issue to the Go1.10 milestone

@dsnet dsnet closed this as completed Apr 22, 2017
@dim13 dim13 changed the title Gzip header size in gzip.NewReader is limited to 512 bytes Gzip header size in gzip.Reader is limited to 512 bytes Apr 22, 2017
@dsnet dsnet mentioned this issue Apr 22, 2017
Open
@golang golang locked and limited conversation to collaborators Apr 22, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dim13 @dsnet @gopherbot