archive/zip: don't read directories containing file data

[neild]

The archive/zip package forbids writing data to directory files: Writing to the io.Writer returned by w.Create("dir/") fails with zip: write to directory.

However, archive/zip permits reading data from directory files. This means there are zip archives that can be read by archive/zip, but not rewritten. In addition, the zip specification doesn't permit directories to contain file data, so these archives are invalid:

Zero-byte files, directories, and other file types that contain no content MUST NOT include file data.

We should return an error when parsing a zip file that contains a directory that contains data.

Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for the report.

[heschi]

cc @dsnet @bradfitz

[amarjeetanandsingh]

May I take this up?

[dsnet]

Sure, go for it!

[amarjeetanandsingh]

@neild Is it possible to for you to share the zip file to reproduce the issue?

[amarjeetanandsingh]

@dsnet @neild

• I created file.txt with content = "abcd"
• zipped this file(say it file.zip)
• opened file.zip in a hex editor and changed the internal file name from file.txt to fileetx/ (in central repo also).

This altered file.zip can be considered as the test file for this issue?

[gopherbot]

Change https://go.dev/cl/449955 mentions this issue: archive/zip: don't read directories containing file data

[gopherbot]

Change https://go.dev/cl/450280 mentions this issue: go1.20: add release notes for archive/zip, encoding/binary, mime