go/55356.txt at f5026496cfbe4701b62c6a6942c8a0df48f1053e - go - Tape:neT

qbit/go

mirror of https://github.com/golang/go synced 2024-09-30 15:18:32 -06:00

Damien Neil a2d8157a7e archive/tar, archive/zip: return ErrInsecurePath for unsafe paths

Return a distinguishable error when reading an archive file
with a path that is:

	- absolute
	- escapes the current directory (../a)
	- on Windows, a reserved name such as NUL

Users may ignore this error and proceed if they do not need name
sanitization or intend to perform it themselves.

Fixes #25849
Fixes #55356

Change-Id: Ieefa163f00384bc285ab329ea21a6561d39d8096
Reviewed-on: https://go-review.googlesource.com/c/go/+/449937
Reviewed-by: Joseph Tsai <joetsai@digital-static.net>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Damien Neil <dneil@google.com>
Auto-Submit: Damien Neil <dneil@google.com>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>

2022-11-16 23:36:48 +00:00

3 lines

100 B

Plaintext

Raw Blame History

	`pkg archive/tar, var ErrInsecurePath error #55356`
	`pkg archive/zip, var ErrInsecurePath error #55356`