diff options
Diffstat (limited to 'src/archive/zip/reader.go')
-rw-r--r-- | src/archive/zip/reader.go | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/src/archive/zip/reader.go b/src/archive/zip/reader.go index a2ae74e541..a1554d2c52 100644 --- a/src/archive/zip/reader.go +++ b/src/archive/zip/reader.go @@ -87,6 +87,14 @@ func OpenReader(name string) (*ReadCloser, error) { // NewReader returns a new Reader reading from r, which is assumed to // have the given size in bytes. +// +// If any file inside the archive uses a non-local name +// (as defined by [filepath.IsLocal]) or a name containing backslashes +// and the GODEBUG environment variable contains `zipinsecurepath=0`, +// NewReader returns the reader with an ErrInsecurePath error. +// A future version of Go may introduce this behavior by default. +// Programs that want to accept non-local names can ignore +// the ErrInsecurePath error and use the returned reader. func NewReader(r io.ReaderAt, size int64) (*Reader, error) { if size < 0 { return nil, errors.New("zip: size cannot be negative") |