archive/tar, archive/zip: disable ErrInsecurePath by default

This change is being made late in the release cycle.
Disable it by default. Insecure path checks may be enabled by setting
GODEBUG=tarinsecurepath=0 or GODEBUG=zipinsecurepath=0.
We can enable this by default in Go 1.21 after publicizing the change
more broadly and giving users a chance to adapt to the change.

For #55356.

Change-Id: I549298b3c85d6c8c7fd607c41de1073083f79b1d
Reviewed-on: https://go-review.googlesource.com/c/go/+/452616
TryBot-Result: Gopher Robot <gobot@golang.org>
Auto-Submit: Damien Neil <dneil@google.com>
Reviewed-by: Russ Cox <rsc@golang.org>
Run-TryBot: Damien Neil <dneil@google.com>

1 files changed, 16 insertions, 24 deletions

diff --git a/doc/go1.20.html b/doc/go1.20.html
index 3d49dd2442..c61d308088 100644
--- a/doc/go1.20.html
+++ b/doc/go1.20.html
@@ -372,18 +372,14 @@ proxyHandler := &httputil.ReverseProxy{
 <dl id="archive/tar"><dt><a href="/pkg/archive/tar/">archive/tar</a></dt>
   <dd>
     <p><!-- https://go.dev/issue/55356 -->
-      <code>(*Reader).Next</code> will now return the error <code>ErrInsecurePath</code>
-      when opening an archive which contains file names that are absolute,
-      refer to a location outside the current directory, contain invalid
-      characters, or (on Windows) are reserved names such as <code>NUL</code>.
-    </p>
-    <p>
-      Programs that want to operate on archives containing insecure file names may
-      ignore this error.
-    </p>
-    <p>
-      Insecure tar file name checks may be entirely disabled by setting the
-      <code>GODEBUG=tarinsecurepath=1</code> environment variable.
+      When the <code>GODEBUG=tarinsecurepath=0</code> environment variable
+      is set, <code>(*Reader).Next</code> will return the error
+      <code>ErrInsecurePath</code> when opening an archive which contains
+      file names that are absolute, refer to a location outside the current
+      directory, contain invalid characters, or (on Windows) are reserved
+      names such as <code>NUL</code>. Programs that perform their own
+      name sanitization can ignore this error. This behavior will be made
+      the default in a future version of Go.
     </p>
   </dd>
 </dl><!-- archive/tar -->
@@ -391,18 +387,14 @@ proxyHandler := &httputil.ReverseProxy{
 <dl id="archive/zip"><dt><a href="/pkg/archive/zip/">archive/zip</a></dt>
   <dd>
     <p><!-- https://go.dev/issue/55356 -->
-      <code>NewReader</code> will now return the error <code>ErrInsecurePath</code>
-      when opening an archive which contains file names that are absolute,
-      refer to a location outside the current directory, contain invalid
-      characters, or (on Windows) are reserved names such as <code>NUL</code>.
-    </p>
-    <p>
-      Programs that want to operate on archives containing insecure file names may
-      ignore this error.
-    </p>
-    <p>
-      Insecure zip file name checks may be entirely disabled by setting the
-      <code>GODEBUG=zipinsecurepath=1</code> environment variable.
+      When the <code>GODEBUG=zipinsecurepath=0</code> environment variable
+      is set, <code>NewReader</code> will return the error
+      <code>ErrInsecurePath</code> when opening an archive which contains
+      file names that are absolute, refer to a location outside the current 
+      irectory, contain invalid characters, or (on Windows) are reserved
+      names such as <code>NUL</code>. Programs that perform their own
+      name sanitization can ignore this error. This behavior will be made
+      the default in a future version of Go.
     </p>
     <p><!-- CL 449955 -->
       Reading from a directory file that contains file data will now return an error.