From 15c0b25d011f37e7c20aeca9eaf461f78285b8d9 Mon Sep 17 00:00:00 2001
From: Alex Pilon <apilon@hashicorp.com>
Date: Fri, 22 Feb 2019 18:24:37 -0500
Subject: deps: github.com/hashicorp/terraform@sdk-v0.11-with-go-modules
 Updated via: go get github.com/hashicorp/terraform@sdk-v0.11-with-go-modules
 and go mod tidy

---
 .../github.com/hashicorp/go-getter/decompress.go   | 29 ++++++++++++++++++++++
 1 file changed, 29 insertions(+)

(limited to 'vendor/github.com/hashicorp/go-getter/decompress.go')

diff --git a/vendor/github.com/hashicorp/go-getter/decompress.go b/vendor/github.com/hashicorp/go-getter/decompress.go
index d18174c..198bb0e 100644
--- a/vendor/github.com/hashicorp/go-getter/decompress.go
+++ b/vendor/github.com/hashicorp/go-getter/decompress.go
@@ -1,7 +1,15 @@
 package getter
 
+import (
+	"strings"
+)
+
 // Decompressor defines the interface that must be implemented to add
 // support for decompressing a type.
+//
+// Important: if you're implementing a decompressor, please use the
+// containsDotDot helper in this file to ensure that files can't be
+// decompressed outside of the specified directory.
 type Decompressor interface {
 	// Decompress should decompress src to dst. dir specifies whether dst
 	// is a directory or single file. src is guaranteed to be a single file
@@ -16,14 +24,35 @@ var Decompressors map[string]Decompressor
 func init() {
 	tbzDecompressor := new(TarBzip2Decompressor)
 	tgzDecompressor := new(TarGzipDecompressor)
+	txzDecompressor := new(TarXzDecompressor)
 
 	Decompressors = map[string]Decompressor{
 		"bz2":     new(Bzip2Decompressor),
 		"gz":      new(GzipDecompressor),
+		"xz":      new(XzDecompressor),
 		"tar.bz2": tbzDecompressor,
 		"tar.gz":  tgzDecompressor,
+		"tar.xz":  txzDecompressor,
 		"tbz2":    tbzDecompressor,
 		"tgz":     tgzDecompressor,
+		"txz":     txzDecompressor,
 		"zip":     new(ZipDecompressor),
 	}
 }
+
+// containsDotDot checks if the filepath value v contains a ".." entry.
+// This will check filepath components by splitting along / or \. This
+// function is copied directly from the Go net/http implementation.
+func containsDotDot(v string) bool {
+	if !strings.Contains(v, "..") {
+		return false
+	}
+	for _, ent := range strings.FieldsFunc(v, isSlashRune) {
+		if ent == ".." {
+			return true
+		}
+	}
+	return false
+}
+
+func isSlashRune(r rune) bool { return r == '/' || r == '\\' }
-- 
cgit v1.2.3