mirror
/
go
mirror of https://github.com/golang/go.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

archive/tar, archive/zip: disable ErrInsecurePath by default 

This change is being made late in the release cycle.
Disable it by default. Insecure path checks may be enabled by setting
GODEBUG=tarinsecurepath=0 or GODEBUG=zipinsecurepath=0.
We can enable this by default in Go 1.21 after publicizing the change
more broadly and giving users a chance to adapt to the change.

For #55356.

Change-Id: I549298b3c85d6c8c7fd607c41de1073083f79b1d
Reviewed-on: https://go-review.googlesource.com/c/go/+/452616
TryBot-Result: Gopher Robot <gobot@golang.org>
Auto-Submit: Damien Neil <dneil@google.com>
Reviewed-by: Russ Cox <rsc@golang.org>
Run-TryBot: Damien Neil <dneil@google.com>
This commit is contained in:
Damien Neil 2022-11-21 14:27:24 -08:00 committed by Gopher Robot
parent 28911b2891
commit 7a00f973a5
3 changed files with 18 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
doc/go1.20.html
View File

@ -372,18 +372,14 @@ proxyHandler := &httputil.ReverseProxy{
<dl id="archive/tar"><dt><a href="/pkg/archive/tar/">archive/tar</a></dt> <dl id="archive/tar"><dt><a href="/pkg/archive/tar/">archive/tar</a></dt>
<dd> <dd>
<p><!-- https://go.dev/issue/55356 --> <p><!-- https://go.dev/issue/55356 -->
<code>(*Reader).Next</code> will now return the error <code>ErrInsecurePath</code> When the <code>GODEBUG=tarinsecurepath=0</code> environment variable
when opening an archive which contains file names that are absolute, is set, <code>(*Reader).Next</code> will return the error
refer to a location outside the current directory, contain invalid <code>ErrInsecurePath</code> when opening an archive which contains
characters, or (on Windows) are reserved names such as <code>NUL</code>. file names that are absolute, refer to a location outside the current
</p> directory, contain invalid characters, or (on Windows) are reserved
<p> names such as <code>NUL</code>. Programs that perform their own
Programs that want to operate on archives containing insecure file names may name sanitization can ignore this error. This behavior will be made
ignore this error. the default in a future version of Go.
</p>
<p>
Insecure tar file name checks may be entirely disabled by setting the
<code>GODEBUG=tarinsecurepath=1</code> environment variable.
</p> </p>
</dd> </dd>
</dl><!-- archive/tar --> </dl><!-- archive/tar -->
@ -391,18 +387,14 @@ proxyHandler := &httputil.ReverseProxy{
<dl id="archive/zip"><dt><a href="/pkg/archive/zip/">archive/zip</a></dt> <dl id="archive/zip"><dt><a href="/pkg/archive/zip/">archive/zip</a></dt>
<dd> <dd>
<p><!-- https://go.dev/issue/55356 --> <p><!-- https://go.dev/issue/55356 -->
<code>NewReader</code> will now return the error <code>ErrInsecurePath</code> When the <code>GODEBUG=zipinsecurepath=0</code> environment variable
when opening an archive which contains file names that are absolute, is set, <code>NewReader</code> will return the error
refer to a location outside the current directory, contain invalid <code>ErrInsecurePath</code> when opening an archive which contains
characters, or (on Windows) are reserved names such as <code>NUL</code>. file names that are absolute, refer to a location outside the current
</p> irectory, contain invalid characters, or (on Windows) are reserved
<p> names such as <code>NUL</code>. Programs that perform their own
Programs that want to operate on archives containing insecure file names may name sanitization can ignore this error. This behavior will be made
ignore this error. the default in a future version of Go.
</p>
<p>
Insecure zip file name checks may be entirely disabled by setting the
<code>GODEBUG=zipinsecurepath=1</code> environment variable.
</p> </p>
<p><!-- CL 449955 --> <p><!-- CL 449955 -->
Reading from a directory file that contains file data will now return an error. Reading from a directory file that contains file data will now return an error.

2
src/archive/tar/reader.go
View File

@ -60,7 +60,7 @@ func (tr *Reader) Next() (*Header, error) {
} }
hdr, err := tr.next() hdr, err := tr.next()
tr.err = err tr.err = err
if err == nil && tarinsecurepath.Value() != "1" && !filepath.IsLocal(hdr.Name) { if err == nil && tarinsecurepath.Value() == "0" && !filepath.IsLocal(hdr.Name) {
err = ErrInsecurePath err = ErrInsecurePath
} }
return hdr, err return hdr, err

2
src/archive/zip/reader.go
View File

@ -111,7 +111,7 @@ func NewReader(r io.ReaderAt, size int64) (*Reader, error) {
// Zip permits an empty file name field. // Zip permits an empty file name field.
continue continue
} }
if zipinsecurepath.Value() == "1" { if zipinsecurepath.Value() != "0" {
continue continue
} }
// The zip specification states that names must use forward slashes, // The zip specification states that names must use forward slashes,