archive/tar, archive/zip: disable ErrInsecurePath by default

neild · gopherbot · commit 7a00f973a557 · 2022-11-22T18:11:34.000Z
This change is being made late in the release cycle. Disable it by default. Insecure path checks may be enabled by setting GODEBUG=tarinsecurepath=0 or GODEBUG=zipinsecurepath=0. We can enable this by default in Go 1.21 after publicizing the change more broadly and giving users a chance to adapt to the change. For #55356. Change-Id: I549298b3c85d6c8c7fd607c41de1073083f79b1d Reviewed-on: https://go-review.googlesource.com/c/go/+/452616 TryBot-Result: Gopher Robot <gobot@golang.org> Auto-Submit: Damien Neil <dneil@google.com> Reviewed-by: Russ Cox <rsc@golang.org> Run-TryBot: Damien Neil <dneil@google.com>
diff --git a/doc/go1.20.html b/doc/go1.20.html
@@ -372,37 +372,29 @@ <h3 id="minor_library_changes">Minor changes to the library</h3>
 <dl id="archive/tar"><dt><a href="/pkg/archive/tar/">archive/tar</a></dt>
   <dd>
     <p><!-- https://go.dev/issue/55356 -->
-      <code>(*Reader).Next</code> will now return the error <code>ErrInsecurePath</code>
-      when opening an archive which contains file names that are absolute,
-      refer to a location outside the current directory, contain invalid
-      characters, or (on Windows) are reserved names such as <code>NUL</code>.
-    </p>
-    <p>
-      Programs that want to operate on archives containing insecure file names may
-      ignore this error.
-    </p>
-    <p>
-      Insecure tar file name checks may be entirely disabled by setting the
-      <code>GODEBUG=tarinsecurepath=1</code> environment variable.
+      When the <code>GODEBUG=tarinsecurepath=0</code> environment variable
+      is set, <code>(*Reader).Next</code> will return the error
+      <code>ErrInsecurePath</code> when opening an archive which contains
+      file names that are absolute, refer to a location outside the current
+      directory, contain invalid characters, or (on Windows) are reserved
+      names such as <code>NUL</code>. Programs that perform their own
+      name sanitization can ignore this error. This behavior will be made
+      the default in a future version of Go.
     </p>
   </dd>
 </dl><!-- archive/tar -->
 
 <dl id="archive/zip"><dt><a href="/pkg/archive/zip/">archive/zip</a></dt>
   <dd>
     <p><!-- https://go.dev/issue/55356 -->
-      <code>NewReader</code> will now return the error <code>ErrInsecurePath</code>
-      when opening an archive which contains file names that are absolute,
-      refer to a location outside the current directory, contain invalid
-      characters, or (on Windows) are reserved names such as <code>NUL</code>.
-    </p>
-    <p>
-      Programs that want to operate on archives containing insecure file names may
-      ignore this error.
-    </p>
-    <p>
-      Insecure zip file name checks may be entirely disabled by setting the
-      <code>GODEBUG=zipinsecurepath=1</code> environment variable.
+      When the <code>GODEBUG=zipinsecurepath=0</code> environment variable
+      is set, <code>NewReader</code> will return the error
+      <code>ErrInsecurePath</code> when opening an archive which contains
+      file names that are absolute, refer to a location outside the current 
+      irectory, contain invalid characters, or (on Windows) are reserved
+      names such as <code>NUL</code>. Programs that perform their own
+      name sanitization can ignore this error. This behavior will be made
+      the default in a future version of Go.
     </p>
     <p><!-- CL 449955 -->
       Reading from a directory file that contains file data will now return an error.
diff --git a/src/archive/tar/reader.go b/src/archive/tar/reader.go
@@ -60,7 +60,7 @@ func (tr *Reader) Next() (*Header, error) {
 	}
 	hdr, err := tr.next()
 	tr.err = err
-	if err == nil && tarinsecurepath.Value() != "1" && !filepath.IsLocal(hdr.Name) {
+	if err == nil && tarinsecurepath.Value() == "0" && !filepath.IsLocal(hdr.Name) {
 		err = ErrInsecurePath
 	}
 	return hdr, err
diff --git a/src/archive/zip/reader.go b/src/archive/zip/reader.go
@@ -111,7 +111,7 @@ func NewReader(r io.ReaderAt, size int64) (*Reader, error) {
 			// Zip permits an empty file name field.
 			continue
 		}
-		if zipinsecurepath.Value() == "1" {
+		if zipinsecurepath.Value() != "0" {
 			continue
 		}
 		// The zip specification states that names must use forward slashes,

Original file line number	Diff line number	Diff line change
`@@ -60,7 +60,7 @@ func (tr Reader) Next() (Header, error) {`
`60`	`60`	`}`
`61`	`61`	`hdr, err := tr.next()`
`62`	`62`	`tr.err = err`
`63`		`- if err == nil && tarinsecurepath.Value() != "1" && !filepath.IsLocal(hdr.Name) {`
	`63`	`+ if err == nil && tarinsecurepath.Value() == "0" && !filepath.IsLocal(hdr.Name) {`
`64`	`64`	`err = ErrInsecurePath`
`65`	`65`	`}`
`66`	`66`	`return hdr, err`
Original file line number	Diff line number	Diff line change
`@@ -111,7 +111,7 @@ func NewReader(r io.ReaderAt, size int64) (*Reader, error) {`
`111`	`111`	`// Zip permits an empty file name field.`
`112`	`112`	`continue`
`113`	`113`	`}`
`114`		`- if zipinsecurepath.Value() == "1" {`
	`114`	`+ if zipinsecurepath.Value() != "0" {`
`115`	`115`	`continue`
`116`	`116`	`}`
`117`	`117`	`// The zip specification states that names must use forward slashes,`