140 return err
141 }
142
143 if _, err := io.Copy(fd, tr); err != nil {144 return err
145 }
146 }
55
56 tw.WriteHeader(h)
57
58 if _, err := io.Copy(tw, tr); err != nil { 59 return nil, err
60 }
61 }
A maliciously crafted archive may produce a large amount of data on decompression that may lead to a denial-of-service (DoS) attack on the application.
It is recommended to use io.CopyN
instead of io.Copy
and io.CopyBuffer
to
control the number of bytes copied from the decompression reader.
package main
import (
"bytes"
"compress/zlib"
"io"
"os"
)
func foo(b io.Reader) {
r, err := zlib.NewReader(b)
if err != nil {
panic(err)
}
_, err = io.Copy(os.Stdout, r)
if err != nil {
panic(err)
}
r.Close()
}
package main
import (
"bytes"
"compress/zlib"
"io"
"os"
)
func foo(b io.Reader) {
r, err := zlib.NewReader(b)
if err != nil {
panic(err)
}
_, err = io.CopyN(os.Stdout, r, 1024) // "n" may change depending on the application
if err != nil {
panic(err)
}
r.Close()
}