From 85a2c19b328081c3fbcd1fa3db9a56d708a25c68 Mon Sep 17 00:00:00 2001
From: Damien Neil <dneil@google.com>
Date: Mon, 21 Nov 2022 11:32:39 -0800
Subject: archive/tar, archive/zip: disable insecure file name checks with
 GODEBUG

Add GODEBUG=tarinsecurepath=1 and GODEBUG=zipinsecurepath=1 settings
to disable file name validation.

For #55356.

Change-Id: Iaacdc629189493e7ea3537a81660215a59dd40a4
Reviewed-on: https://go-review.googlesource.com/c/go/+/452495
Reviewed-by: Bryan Mills <bcmills@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Damien Neil <dneil@google.com>
Reviewed-by: Russ Cox <rsc@golang.org>
Reviewed-by: Heschi Kreinick <heschi@google.com>
---
 src/archive/tar/reader_test.go | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

(limited to 'src/archive/tar/reader_test.go')

diff --git a/src/archive/tar/reader_test.go b/src/archive/tar/reader_test.go
index 91dc1650e2..7e0462c3f8 100644
--- a/src/archive/tar/reader_test.go
+++ b/src/archive/tar/reader_test.go
@@ -1617,6 +1617,7 @@ func TestFileReader(t *testing.T) {
 }
 
 func TestInsecurePaths(t *testing.T) {
+	t.Setenv("GODEBUG", "tarinsecurepath=0")
 	for _, path := range []string{
 		"../foo",
 		"/foo",
@@ -1652,3 +1653,22 @@ func TestInsecurePaths(t *testing.T) {
 		}
 	}
 }
+
+func TestDisableInsecurePathCheck(t *testing.T) {
+	t.Setenv("GODEBUG", "tarinsecurepath=1")
+	var buf bytes.Buffer
+	tw := NewWriter(&buf)
+	const name = "/foo"
+	tw.WriteHeader(&Header{
+		Name: name,
+	})
+	tw.Close()
+	tr := NewReader(&buf)
+	h, err := tr.Next()
+	if err != nil {
+		t.Fatalf("tr.Next with tarinsecurepath=1: got err %v, want nil", err)
+	}
+	if h.Name != name {
+		t.Fatalf("tr.Next with tarinsecurepath=1: got name %q, want %q", h.Name, name)
+	}
+}
-- 
cgit v1.3