archive/zip: Reader.Open panics on empty string [1.17 backport]

[gopherbot]

@FiloSottile requested issue #48085 to be considered for backport to the next 1.17 minor release.

Thank you for reporting this to security@golang.org. Invalid input should not cause programs to panic, if the input could be attacker controlled. If this required a call to Open("") to trigger, it could have been borderline, since it's hard for an attacker to control the argument to Open. However, the reproducer in #48085 (comment) triggers a panic with a real file name.

package main

import "archive/zip"

func main() {
	reader, err := zip.OpenReader("liquibase-core-4.4.3-sources.zip")
	if err != nil {
		panic(err)
	}

	reader.Open("META-INF/MANIFEST.MF")
}

We'll backport this as a security fix in the PUBLIC track. @gopherbot, please open backport issues.

[gopherbot]

Change https://golang.org/cl/360859 mentions this issue: [release-branch.go1.17] archive/zip: don't panic on (*Reader).Open

[dmitshur]

Approving as a security fix. Both Go 1.17 and 1.16 get this backport.

[gopherbot]

Closed by merging b212ba6 to release-branch.go1.17.