From 85a2c19b328081c3fbcd1fa3db9a56d708a25c68 Mon Sep 17 00:00:00 2001
From: Damien Neil <dneil@google.com>
Date: Mon, 21 Nov 2022 11:32:39 -0800
Subject: archive/tar, archive/zip: disable insecure file name checks with
 GODEBUG

Add GODEBUG=tarinsecurepath=1 and GODEBUG=zipinsecurepath=1 settings
to disable file name validation.

For #55356.

Change-Id: Iaacdc629189493e7ea3537a81660215a59dd40a4
Reviewed-on: https://go-review.googlesource.com/c/go/+/452495
Reviewed-by: Bryan Mills <bcmills@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Damien Neil <dneil@google.com>
Reviewed-by: Russ Cox <rsc@golang.org>
Reviewed-by: Heschi Kreinick <heschi@google.com>
---
 src/archive/tar/reader.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'src/archive/tar/reader.go')

diff --git a/src/archive/tar/reader.go b/src/archive/tar/reader.go
index 3495f083e3..99ba004c9a 100644
--- a/src/archive/tar/reader.go
+++ b/src/archive/tar/reader.go
@@ -60,7 +60,7 @@ func (tr *Reader) Next() (*Header, error) {
 	}
 	hdr, err := tr.next()
 	tr.err = err
-	if err == nil && !filepath.IsLocal(hdr.Name) {
+	if err == nil && tarinsecurepath.Value() != "1" && !filepath.IsLocal(hdr.Name) {
 		err = ErrInsecurePath
 	}
 	return hdr, err
-- 
cgit v1.3-5-g9baa