Damien Neil

#53435 contains fairly extensive discussion on the rationale for the interactions between `Join`, `Is`, and `As`. The purpose of `Join` is to combine errors in a way that `Is` and...

`filepath.IsAbs` considers `COM1` and a number of other reserved names to be absolute: https://go.googlesource.com/go/+/refs/tags/go1.19.1/src/path/filepath/path_windows.go#23 Using `filepath` does mean that whether an archive is insecure or not will depend on the...

So far as I can see, we can: 1. Call an archive containing the file `com1` insecure on all systems. This doesn't seem right; Unix systems shouldn't need to worry...

We would return `ErrInsecurePath` when encountering an insecure filename, but permit the user to ignore it. So: ``` zr, err := zip.NewReader(r, size) if err == zip.ErrInsecurePath { err =...

https://learn.microsoft.com/en-us/windows/win32/fileio/naming-a-file states: > Do not use the following reserved names for the name of a file: > > CON, PRN, AUX, NUL, COM1, COM2, COM3, COM4, COM5, COM6, COM7, COM8,...

This proposal doesn't address symlinks. The vast majority of path vulnerabilities caused by the current archive/tar and archive/zip behavior have been in programs that don't process symlinks. Perhaps we should...

> I'm not certain if WriteFile("./com1", b, mode) is an error or just a bad idea. I'm pretty sure it doesn't write to the COM1 device, although I haven't tested...

> I feel like surfacing the file handle as part of the error would be cleaner than returning a handle and a non-nil error. This seems substantially less convenient for...

It appears that Docker images frequently contain tar files containing absolute paths. This change causes problems for programs which operate on these tar files. Since Docker is not a small...

The proposal as-is could be conditionalized on the Go version specified in the `go.mod` file, to be be fully backwards-compatible.