Stowage/go
2
0
Fork 0
mirror of https://github.com/golang/go.git synced 2026-06-27 03:11:23 +00:00
Code Issues Projects Releases Packages Wiki Activity

archive/tar: clarify that tarinsecurepath=0 does not apply to linknames

Browse source 
Change-Id: Iad1e9141cae8827b9f30b4a2fb8285366a6a6964
Reviewed-on: https://go-review.googlesource.com/c/go/+/775300
Reviewed-by: Nicholas Husin <nsh@golang.org>
LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Nicholas Husin <husin@google.com>
This commit is contained in:
Damien Neil 2026-05-07 09:17:09 -07:00
parent 2747d887eb
commit f9f6dc7c82
1 changed files with 2 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

3
src/archive/tar/reader.go
View file

@ -45,8 +45,9 @@ func NewReader(r io.Reader) *Reader {
// Any remaining data in the current file is automatically discarded.
// At the end of the archive, Next returns the error io.EOF.
//
// If Next encounters a non-local name (as defined by [filepath.IsLocal])
// If Next encounters a non-local file name (as defined by [filepath.IsLocal])
// and the GODEBUG environment variable contains `tarinsecurepath=0`,
// Only file names are validated, not link targets.
// Next returns the header with an [ErrInsecurePath] error.
// A future version of Go may introduce this behavior by default.
// Programs that want to accept non-local names can ignore