diff options
| author | Damien Neil <dneil@google.com> | 2022-11-21 11:32:39 -0800 |
|---|---|---|
| committer | Damien Neil <dneil@google.com> | 2022-11-21 21:14:38 +0000 |
| commit | 85a2c19b328081c3fbcd1fa3db9a56d708a25c68 (patch) | |
| tree | 64a79901e3237069743bf38998d2485d2c651803 /src/archive/zip/reader.go | |
| parent | f60c77026bb47db984c5da7e6f0590010e7e1a6f (diff) | |
| download | go-85a2c19b328081c3fbcd1fa3db9a56d708a25c68.tar.xz | |
archive/tar, archive/zip: disable insecure file name checks with GODEBUG
Add GODEBUG=tarinsecurepath=1 and GODEBUG=zipinsecurepath=1 settings
to disable file name validation.
For #55356.
Change-Id: Iaacdc629189493e7ea3537a81660215a59dd40a4
Reviewed-on: https://go-review.googlesource.com/c/go/+/452495
Reviewed-by: Bryan Mills <bcmills@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Damien Neil <dneil@google.com>
Reviewed-by: Russ Cox <rsc@golang.org>
Reviewed-by: Heschi Kreinick <heschi@google.com>
Diffstat (limited to 'src/archive/zip/reader.go')
| -rw-r--r-- | src/archive/zip/reader.go | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/src/archive/zip/reader.go b/src/archive/zip/reader.go index b64c61aab5..a097d084c6 100644 --- a/src/archive/zip/reader.go +++ b/src/archive/zip/reader.go @@ -10,6 +10,7 @@ import ( "errors" "hash" "hash/crc32" + "internal/godebug" "io" "io/fs" "os" @@ -21,6 +22,8 @@ import ( "time" ) +var zipinsecurepath = godebug.New("zipinsecurepath") + var ( ErrFormat = errors.New("zip: not a valid zip file") ErrAlgorithm = errors.New("zip: unsupported compression algorithm") @@ -108,6 +111,9 @@ func NewReader(r io.ReaderAt, size int64) (*Reader, error) { // Zip permits an empty file name field. continue } + if zipinsecurepath.Value() == "1" { + continue + } // The zip specification states that names must use forward slashes, // so consider any backslashes in the name insecure. if !filepath.IsLocal(f.Name) || strings.Contains(f.Name, `\`) { |