diff options
Diffstat (limited to 'src/archive/zip/reader.go')
| -rw-r--r-- | src/archive/zip/reader.go | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/src/archive/zip/reader.go b/src/archive/zip/reader.go index b64c61aab5..a097d084c6 100644 --- a/src/archive/zip/reader.go +++ b/src/archive/zip/reader.go @@ -10,6 +10,7 @@ import ( "errors" "hash" "hash/crc32" + "internal/godebug" "io" "io/fs" "os" @@ -21,6 +22,8 @@ import ( "time" ) +var zipinsecurepath = godebug.New("zipinsecurepath") + var ( ErrFormat = errors.New("zip: not a valid zip file") ErrAlgorithm = errors.New("zip: unsupported compression algorithm") @@ -108,6 +111,9 @@ func NewReader(r io.ReaderAt, size int64) (*Reader, error) { // Zip permits an empty file name field. continue } + if zipinsecurepath.Value() == "1" { + continue + } // The zip specification states that names must use forward slashes, // so consider any backslashes in the name insecure. if !filepath.IsLocal(f.Name) || strings.Contains(f.Name, `\`) { |