archive/tar, archive/zip: disable ErrInsecurePath by default

This change is being made late in the release cycle.
Disable it by default. Insecure path checks may be enabled by setting
GODEBUG=tarinsecurepath=0 or GODEBUG=zipinsecurepath=0.
We can enable this by default in Go 1.21 after publicizing the change
more broadly and giving users a chance to adapt to the change.

For #55356.

Change-Id: I549298b3c85d6c8c7fd607c41de1073083f79b1d
Reviewed-on: https://go-review.googlesource.com/c/go/+/452616
TryBot-Result: Gopher Robot <gobot@golang.org>
Auto-Submit: Damien Neil <dneil@google.com>
Reviewed-by: Russ Cox <rsc@golang.org>
Run-TryBot: Damien Neil <dneil@google.com>

diff --git a/doc/go1.20.html b/doc/go1.20.html
index 3d49dd2442e4448136162fd676ba2af19c49108a..c61d308088533347edc4f39bba4288ea8f416246 100644 (file)
--- a/doc/go1.20.html
+++ b/doc/go1.20.html
@@ -372,18 +372,14 @@ proxyHandler := &httputil.ReverseProxy{
 <dl id="archive/tar"><dt><a href="/pkg/archive/tar/">archive/tar</a></dt>
   <dd>
     <p><!-- https://go.dev/issue/55356 -->
-      <code>(*Reader).Next</code> will now return the error <code>ErrInsecurePath</code>
-      when opening an archive which contains file names that are absolute,
-      refer to a location outside the current directory, contain invalid
-      characters, or (on Windows) are reserved names such as <code>NUL</code>.
-    </p>
-    <p>
-      Programs that want to operate on archives containing insecure file names may
-      ignore this error.
-    </p>
-    <p>
-      Insecure tar file name checks may be entirely disabled by setting the
-      <code>GODEBUG=tarinsecurepath=1</code> environment variable.
+      When the <code>GODEBUG=tarinsecurepath=0</code> environment variable
+      is set, <code>(*Reader).Next</code> will return the error
+      <code>ErrInsecurePath</code> when opening an archive which contains
+      file names that are absolute, refer to a location outside the current
+      directory, contain invalid characters, or (on Windows) are reserved
+      names such as <code>NUL</code>. Programs that perform their own
+      name sanitization can ignore this error. This behavior will be made
+      the default in a future version of Go.
     </p>
   </dd>
 </dl><!-- archive/tar -->
@@ -391,18 +387,14 @@ proxyHandler := &httputil.ReverseProxy{
 <dl id="archive/zip"><dt><a href="/pkg/archive/zip/">archive/zip</a></dt>
   <dd>
     <p><!-- https://go.dev/issue/55356 -->
-      <code>NewReader</code> will now return the error <code>ErrInsecurePath</code>
-      when opening an archive which contains file names that are absolute,
-      refer to a location outside the current directory, contain invalid
-      characters, or (on Windows) are reserved names such as <code>NUL</code>.
-    </p>
-    <p>
-      Programs that want to operate on archives containing insecure file names may
-      ignore this error.
-    </p>
-    <p>
-      Insecure zip file name checks may be entirely disabled by setting the
-      <code>GODEBUG=zipinsecurepath=1</code> environment variable.
+      When the <code>GODEBUG=zipinsecurepath=0</code> environment variable
+      is set, <code>NewReader</code> will return the error
+      <code>ErrInsecurePath</code> when opening an archive which contains
+      file names that are absolute, refer to a location outside the current 
+      irectory, contain invalid characters, or (on Windows) are reserved
+      names such as <code>NUL</code>. Programs that perform their own
+      name sanitization can ignore this error. This behavior will be made
+      the default in a future version of Go.
     </p>
     <p><!-- CL 449955 -->
       Reading from a directory file that contains file data will now return an error.

diff --git a/src/archive/tar/reader.go b/src/archive/tar/reader.go
index 99ba004c9a43ec3f7ab9b7668e6b1815db8a8e0f..a4e35bddb228c806fc947228b98015b8bcb53847 100644 (file)
--- a/src/archive/tar/reader.go
+++ b/src/archive/tar/reader.go
@@ -60,7 +60,7 @@ func (tr *Reader) Next() (*Header, error) {
        }
        hdr, err := tr.next()
        tr.err = err
-       if err == nil && tarinsecurepath.Value() != "1" && !filepath.IsLocal(hdr.Name) {
+       if err == nil && tarinsecurepath.Value() == "0" && !filepath.IsLocal(hdr.Name) {
                err = ErrInsecurePath
        }
        return hdr, err

diff --git a/src/archive/zip/reader.go b/src/archive/zip/reader.go
index a097d084c6334238aa08017ef3c7cf75ed5337ae..aa741028cc4fa85674929995fee4929c4089f7cd 100644 (file)
--- a/src/archive/zip/reader.go
+++ b/src/archive/zip/reader.go
@@ -111,7 +111,7 @@ func NewReader(r io.ReaderAt, size int64) (*Reader, error) {
                        // Zip permits an empty file name field.
                        continue
                }
-               if zipinsecurepath.Value() == "1" {
+               if zipinsecurepath.Value() != "0" {
                        continue
                }
                // The zip specification states that names must use forward slashes,