diff options
Diffstat (limited to 'src/archive/tar')
| -rw-r--r-- | src/archive/tar/common.go | 3 | ||||
| -rw-r--r-- | src/archive/tar/reader.go | 2 | ||||
| -rw-r--r-- | src/archive/tar/reader_test.go | 20 |
3 files changed, 24 insertions, 1 deletions
diff --git a/src/archive/tar/common.go b/src/archive/tar/common.go index be02a24542..0d5a942024 100644 --- a/src/archive/tar/common.go +++ b/src/archive/tar/common.go @@ -13,6 +13,7 @@ package tar import ( "errors" "fmt" + "internal/godebug" "io/fs" "math" "path" @@ -26,6 +27,8 @@ import ( // architectures. If a large value is encountered when decoding, the result // stored in Header will be the truncated version. +var tarinsecurepath = godebug.New("tarinsecurepath") + var ( ErrHeader = errors.New("archive/tar: invalid tar header") ErrWriteTooLong = errors.New("archive/tar: write too long") diff --git a/src/archive/tar/reader.go b/src/archive/tar/reader.go index 3495f083e3..99ba004c9a 100644 --- a/src/archive/tar/reader.go +++ b/src/archive/tar/reader.go @@ -60,7 +60,7 @@ func (tr *Reader) Next() (*Header, error) { } hdr, err := tr.next() tr.err = err - if err == nil && !filepath.IsLocal(hdr.Name) { + if err == nil && tarinsecurepath.Value() != "1" && !filepath.IsLocal(hdr.Name) { err = ErrInsecurePath } return hdr, err diff --git a/src/archive/tar/reader_test.go b/src/archive/tar/reader_test.go index 91dc1650e2..7e0462c3f8 100644 --- a/src/archive/tar/reader_test.go +++ b/src/archive/tar/reader_test.go @@ -1617,6 +1617,7 @@ func TestFileReader(t *testing.T) { } func TestInsecurePaths(t *testing.T) { + t.Setenv("GODEBUG", "tarinsecurepath=0") for _, path := range []string{ "../foo", "/foo", @@ -1652,3 +1653,22 @@ func TestInsecurePaths(t *testing.T) { } } } + +func TestDisableInsecurePathCheck(t *testing.T) { + t.Setenv("GODEBUG", "tarinsecurepath=1") + var buf bytes.Buffer + tw := NewWriter(&buf) + const name = "/foo" + tw.WriteHeader(&Header{ + Name: name, + }) + tw.Close() + tr := NewReader(&buf) + h, err := tr.Next() + if err != nil { + t.Fatalf("tr.Next with tarinsecurepath=1: got err %v, want nil", err) + } + if h.Name != name { + t.Fatalf("tr.Next with tarinsecurepath=1: got name %q, want %q", h.Name, name) + } +} |