483 }
484 }()
485
486 _, err = io.Copy(f, rc)487 if err != nil {
488 return err
489 }
A maliciously crafted archive may produce a large amount of data on decompression that may lead to a denial-of-service (DoS) attack on the application.
It is recommended to use io.CopyN
instead of io.Copy
and io.CopyBuffer
to
control the number of bytes copied from the decompression reader.
package main
import (
"bytes"
"compress/zlib"
"io"
"os"
)
func foo(b io.Reader) {
r, err := zlib.NewReader(b)
if err != nil {
panic(err)
}
_, err = io.Copy(os.Stdout, r)
if err != nil {
panic(err)
}
r.Close()
}
package main
import (
"bytes"
"compress/zlib"
"io"
"os"
)
func foo(b io.Reader) {
r, err := zlib.NewReader(b)
if err != nil {
panic(err)
}
_, err = io.CopyN(os.Stdout, r, 1024) // "n" may change depending on the application
if err != nil {
panic(err)
}
r.Close()
}