You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
More real-life samples: OpenBSD packages contain signature in gzip header. See go-1.8.tgz (comment size 62131 bytes) and all other contemporary official packages for example.
Error cause: gzip header is read into fixed (512 bytes) buffer. However, according to rfc1952 FNAME and FCOMMENT fields are defined as variable length zero-terminated arrays without any size limits.
The text was updated successfully, but these errors were encountered:
I've intentionally avoided fixing the issue because it can lead to security issues on many HTTP servers. It seems you've provided sufficient evidence that this should be fixed in some way. I'll bump the other issue to the Go1.10 milestone
dim13
changed the title
Gzip header size in gzip.NewReader is limited to 512 bytes
Gzip header size in gzip.Reader is limited to 512 bytes
Apr 22, 2017
What version of Go are you using (
go version
)?What operating system and processor architecture are you using (
go env
)?What did you do?
Sample file: rfc1952.gz (comment size 25037 bytes)
More real-life samples: OpenBSD packages contain signature in gzip header. See go-1.8.tgz (comment size 62131 bytes) and all other contemporary official packages for example.
What did you expect to see?
No error, parsed gzip header and valid reader.
What did you see instead?
Error:
gzip: invalid header
Error origin:
Error cause: gzip header is read into fixed (512 bytes) buffer. However, according to rfc1952 FNAME and FCOMMENT fields are defined as variable length zero-terminated arrays without any size limits.
The text was updated successfully, but these errors were encountered: