From 7a00f973a557fa8b5294652382a6280ddb196c1e Mon Sep 17 00:00:00 2001
From: Damien Neil <dneil@google.com>
Date: Mon, 21 Nov 2022 14:27:24 -0800
Subject: [PATCH] archive/tar, archive/zip: disable ErrInsecurePath by default

This change is being made late in the release cycle.
Disable it by default. Insecure path checks may be enabled by setting
GODEBUG=tarinsecurepath=0 or GODEBUG=zipinsecurepath=0.
We can enable this by default in Go 1.21 after publicizing the change
more broadly and giving users a chance to adapt to the change.

For #55356.

Change-Id: I549298b3c85d6c8c7fd607c41de1073083f79b1d
Reviewed-on: https://go-review.googlesource.com/c/go/+/452616
TryBot-Result: Gopher Robot <gobot@golang.org>
Auto-Submit: Damien Neil <dneil@google.com>
Reviewed-by: Russ Cox <rsc@golang.org>
Run-TryBot: Damien Neil <dneil@google.com>
---
 doc/go1.20.html           | 40 ++++++++++++++++-----------------------
 src/archive/tar/reader.go |  2 +-
 src/archive/zip/reader.go |  2 +-
 3 files changed, 18 insertions(+), 26 deletions(-)

diff --git a/doc/go1.20.html b/doc/go1.20.html
index 3d49dd2442..c61d308088 100644
--- a/doc/go1.20.html
+++ b/doc/go1.20.html
@@ -372,18 +372,14 @@ proxyHandler := &httputil.ReverseProxy{
 <dl id="archive/tar"><dt><a href="/pkg/archive/tar/">archive/tar</a></dt>
   <dd>
     <p><!-- https://go.dev/issue/55356 -->
-      <code>(*Reader).Next</code> will now return the error <code>ErrInsecurePath</code>
-      when opening an archive which contains file names that are absolute,
-      refer to a location outside the current directory, contain invalid
-      characters, or (on Windows) are reserved names such as <code>NUL</code>.
-    </p>
-    <p>
-      Programs that want to operate on archives containing insecure file names may
-      ignore this error.
-    </p>
-    <p>
-      Insecure tar file name checks may be entirely disabled by setting the
-      <code>GODEBUG=tarinsecurepath=1</code> environment variable.
+      When the <code>GODEBUG=tarinsecurepath=0</code> environment variable
+      is set, <code>(*Reader).Next</code> will return the error
+      <code>ErrInsecurePath</code> when opening an archive which contains
+      file names that are absolute, refer to a location outside the current
+      directory, contain invalid characters, or (on Windows) are reserved
+      names such as <code>NUL</code>. Programs that perform their own
+      name sanitization can ignore this error. This behavior will be made
+      the default in a future version of Go.
     </p>
   </dd>
 </dl><!-- archive/tar -->
@@ -391,18 +387,14 @@ proxyHandler := &httputil.ReverseProxy{
 <dl id="archive/zip"><dt><a href="/pkg/archive/zip/">archive/zip</a></dt>
   <dd>
     <p><!-- https://go.dev/issue/55356 -->
-      <code>NewReader</code> will now return the error <code>ErrInsecurePath</code>
-      when opening an archive which contains file names that are absolute,
-      refer to a location outside the current directory, contain invalid
-      characters, or (on Windows) are reserved names such as <code>NUL</code>.
-    </p>
-    <p>
-      Programs that want to operate on archives containing insecure file names may
-      ignore this error.
-    </p>
-    <p>
-      Insecure zip file name checks may be entirely disabled by setting the
-      <code>GODEBUG=zipinsecurepath=1</code> environment variable.
+      When the <code>GODEBUG=zipinsecurepath=0</code> environment variable
+      is set, <code>NewReader</code> will return the error
+      <code>ErrInsecurePath</code> when opening an archive which contains
+      file names that are absolute, refer to a location outside the current 
+      irectory, contain invalid characters, or (on Windows) are reserved
+      names such as <code>NUL</code>. Programs that perform their own
+      name sanitization can ignore this error. This behavior will be made
+      the default in a future version of Go.
     </p>
     <p><!-- CL 449955 -->
       Reading from a directory file that contains file data will now return an error.
diff --git a/src/archive/tar/reader.go b/src/archive/tar/reader.go
index 99ba004c9a..a4e35bddb2 100644
--- a/src/archive/tar/reader.go
+++ b/src/archive/tar/reader.go
@@ -60,7 +60,7 @@ func (tr *Reader) Next() (*Header, error) {
 	}
 	hdr, err := tr.next()
 	tr.err = err
-	if err == nil && tarinsecurepath.Value() != "1" && !filepath.IsLocal(hdr.Name) {
+	if err == nil && tarinsecurepath.Value() == "0" && !filepath.IsLocal(hdr.Name) {
 		err = ErrInsecurePath
 	}
 	return hdr, err
diff --git a/src/archive/zip/reader.go b/src/archive/zip/reader.go
index a097d084c6..aa741028cc 100644
--- a/src/archive/zip/reader.go
+++ b/src/archive/zip/reader.go
@@ -111,7 +111,7 @@ func NewReader(r io.ReaderAt, size int64) (*Reader, error) {
 			// Zip permits an empty file name field.
 			continue
 		}
-		if zipinsecurepath.Value() == "1" {
+		if zipinsecurepath.Value() != "0" {
 			continue
 		}
 		// The zip specification states that names must use forward slashes,
-- 
2.50.0