search

fxamacker / cbor

CBOR codec (RFC 8949) with CBOR tags, Go struct tags (toarray, keyasint, omitempty), float64/32/16, big.Int, and fuzz tested billions of execs.
MIT License
719 stars 59 forks source link

Prevent an inappropriate use of BinaryUnmarshaler #8

Closed fxamacker closed 4 years ago

fxamacker commented 4 years ago

Don't allow CBOR byte string (major type 2) as input to Go's Time.UnmarshalBinary.

Time values should only be encoded/decoded using these CBOR data types: pos or neg integer, float, and text string.

For more info, see RFC 7049 section 2.4.1.

fxamacker commented 4 years ago

Commit 34ffc3a3fd37df109c2ea1887de5ec8848a11fd8 closes this issue.

Passed tests and fuzzing for 2+ hours.