From: Damien Neil Date: Wed, 21 Dec 2022 17:50:48 +0000 (-0800) Subject: archive/tar, archive/zip: revert documentation of ErrInsecurePath X-Git-Tag: go1.20rc2~1^2~14 X-Git-Url: http://www.git.cypherpunks.su/?a=commitdiff_plain;h=2321abc5e9;p=gostls13.git archive/tar, archive/zip: revert documentation of ErrInsecurePath CL 452616 disables path security checks by default, enabling them only when GODEBUG=tarinsecurepath=0 or GODEBUG=zipinsecurepath=0 is set. Remove now-obsolete documenation of the path checks. For #55356 Change-Id: I4ae57534efe9e27368d5e67773a502dd0e56eff4 Reviewed-on: https://go-review.googlesource.com/c/go/+/458875 Reviewed-by: Russ Cox TryBot-Result: Gopher Robot Run-TryBot: Damien Neil --- diff --git a/src/archive/tar/reader.go b/src/archive/tar/reader.go index 52a3150fc4..82a5a5a293 100644 --- a/src/archive/tar/reader.go +++ b/src/archive/tar/reader.go @@ -45,15 +45,6 @@ func NewReader(r io.Reader) *Reader { // Any remaining data in the current file is automatically discarded. // // io.EOF is returned at the end of the input. -// -// ErrInsecurePath and a valid *Header are returned if the next file's name is: -// -// - absolute; -// - a relative path escaping the current directory, such as "../a"; or -// - on Windows, a reserved file name such as "NUL". -// -// The caller may ignore the ErrInsecurePath error, -// but is then responsible for sanitizing paths as appropriate. func (tr *Reader) Next() (*Header, error) { if tr.err != nil { return nil, tr.err diff --git a/src/archive/zip/reader.go b/src/archive/zip/reader.go index 10e835fe86..a2ae74e541 100644 --- a/src/archive/zip/reader.go +++ b/src/archive/zip/reader.go @@ -87,17 +87,6 @@ func OpenReader(name string) (*ReadCloser, error) { // NewReader returns a new Reader reading from r, which is assumed to // have the given size in bytes. -// -// ErrInsecurePath and a valid *Reader are returned if the names of any -// files in the archive: -// -// - are absolute; -// - are a relative path escaping the current directory, such as "../a"; -// - contain a backslash (\) character; or -// - on Windows, are a reserved file name such as "NUL". -// -// The caller may ignore the ErrInsecurePath error, -// but is then responsible for sanitizing paths as appropriate. func NewReader(r io.ReaderAt, size int64) (*Reader, error) { if size < 0 { return nil, errors.New("zip: size cannot be negative")