Rev 31 | Go to most recent revision | Details | Last modification | View Log | RSS feed
Rev | Author | Line No. | Line |
---|---|---|---|
24 | magnus | 1 | Author: Raphael Geissert <geissert@debian.org> |
2 | Bug-Debian: https://bugs.debian.org/731860 |
||
3 | Description: Avoid directory traversal when extracting archives |
||
4 | by skipping over leading slashes and any prefix containing ".." components. |
||
5 | Forwarded: yes |
||
6 | |||
7 | --- a/lib/decode.c |
||
8 | +++ b/lib/decode.c |
||
9 | @@ -21,13 +21,42 @@ |
||
10 | # include <string.h> |
||
11 | #endif |
||
12 | |||
13 | +char * |
||
14 | +safer_name_suffix (char const *file_name) |
||
15 | +{ |
||
16 | + char const *p, *t; |
||
17 | + p = t = file_name; |
||
18 | + while (*p == '/') t = ++p; |
||
19 | + while (*p) |
||
20 | + { |
||
21 | + while (p[0] == '.' && p[0] == p[1] && p[2] == '/') |
||
22 | + { |
||
23 | + p += 3; |
||
24 | + t = p; |
||
25 | + } |
||
26 | + /* advance pointer past the next slash */ |
||
27 | + while (*p && (p++)[0] != '/'); |
||
28 | + } |
||
29 | + |
||
30 | + if (!*t) |
||
31 | + { |
||
32 | + t = "."; |
||
33 | + } |
||
34 | + |
||
35 | + if (t != file_name) |
||
36 | + { |
||
37 | + /* TODO: warn somehow that the path was modified */ |
||
38 | + } |
||
39 | + return (char*)t; |
||
40 | +} |
||
41 | + |
||
42 | |||
43 | /* determine full path name */ |
||
44 | char * |
||
45 | th_get_pathname(TAR *t) |
||
46 | { |
||
47 | if (t->th_buf.gnu_longname) |
||
48 | - return t->th_buf.gnu_longname; |
||
49 | + return safer_name_suffix(t->th_buf.gnu_longname); |
||
50 | |||
51 | size_t pathlen = |
||
52 | strlen(t->th_buf.prefix) + strlen(t->th_buf.name) + 2; |
||
53 | @@ -43,12 +72,12 @@ th_get_pathname(TAR *t) |
||
54 | |||
55 | if (t->th_buf.prefix[0] == '\0') |
||
56 | { |
||
57 | - snprintf(t->th_pathname, pathlen, "%.100s", t->th_buf.name); |
||
58 | + snprintf(t->th_pathname, pathlen, "%.100s", safer_name_suffix(t->th_buf.name)); |
||
59 | } |
||
60 | else |
||
61 | { |
||
62 | snprintf(t->th_pathname, pathlen, "%.155s/%.100s", |
||
63 | - t->th_buf.prefix, t->th_buf.name); |
||
64 | + t->th_buf.prefix, safer_name_suffix(t->th_buf.name)); |
||
65 | } |
||
66 | |||
67 | /* will be deallocated in tar_close() */ |
||
68 | --- a/lib/extract.c |
||
69 | +++ b/lib/extract.c |
||
70 | @@ -298,14 +298,14 @@ tar_extract_hardlink(TAR * t, char *real |
||
71 | if (mkdirhier(dirname(filename)) == -1) |
||
72 | return -1; |
||
73 | libtar_hashptr_reset(&hp); |
||
74 | - if (libtar_hash_getkey(t->h, &hp, th_get_linkname(t), |
||
75 | + if (libtar_hash_getkey(t->h, &hp, safer_name_suffix(th_get_linkname(t)), |
||
76 | (libtar_matchfunc_t)libtar_str_match) != 0) |
||
77 | { |
||
78 | lnp = (char *)libtar_hashptr_data(&hp); |
||
79 | linktgt = &lnp[strlen(lnp) + 1]; |
||
80 | } |
||
81 | else |
||
82 | - linktgt = th_get_linkname(t); |
||
83 | + linktgt = safer_name_suffix(th_get_linkname(t)); |
||
84 | |||
85 | #ifdef DEBUG |
||
86 | printf(" ==> extracting: %s (link to %s)\n", filename, linktgt); |
||
87 | @@ -343,9 +343,9 @@ tar_extract_symlink(TAR *t, char *realna |
||
88 | |||
89 | #ifdef DEBUG |
||
90 | printf(" ==> extracting: %s (symlink to %s)\n", |
||
91 | - filename, th_get_linkname(t)); |
||
92 | + filename, safer_name_suffix(th_get_linkname(t))); |
||
93 | #endif |
||
94 | - if (symlink(th_get_linkname(t), filename) == -1) |
||
95 | + if (symlink(safer_name_suffix(th_get_linkname(t)), filename) == -1) |
||
96 | { |
||
97 | #ifdef DEBUG |
||
98 | perror("symlink()"); |
||
99 | --- a/lib/internal.h |
||
100 | +++ b/lib/internal.h |
||
101 | @@ -21,3 +21,4 @@ |
||
102 | #define TLS_THREAD |
||
103 | #endif |
||
104 | |||
105 | +char* safer_name_suffix(char const*); |