Subversion Repositories

?revision_form?Rev ?revision_input??revision_submit??revision_endform?

Rev 31 | Go to most recent revision | Details | Last modification | View Log | RSS feed

Rev Author Line No. Line
24 magnus 1
Author: Raphael Geissert <geissert@debian.org>
2
Bug-Debian: https://bugs.debian.org/731860
3
Description: Avoid directory traversal when extracting archives
4
 by skipping over leading slashes and any prefix containing ".." components.
5
Forwarded: yes
6
 
7
--- a/lib/decode.c
8
+++ b/lib/decode.c
9
@@ -21,13 +21,42 @@
10
 # include <string.h>
11
 #endif
12
 
13
+char *
14
+safer_name_suffix (char const *file_name)
15
+{
16
+       char const *p, *t;
17
+       p = t = file_name;
18
+       while (*p == '/') t = ++p;
19
+       while (*p)
20
+       {
21
+               while (p[0] == '.' && p[0] == p[1] && p[2] == '/')
22
+               {
23
+                       p += 3;
24
+                       t = p;
25
+               }
26
+               /* advance pointer past the next slash */
27
+               while (*p && (p++)[0] != '/');
28
+       }
29
+
30
+       if (!*t)
31
+       {
32
+               t = ".";
33
+       }
34
+
35
+       if (t != file_name)
36
+       {
37
+               /* TODO: warn somehow that the path was modified */
38
+       }
39
+       return (char*)t;
40
+}
41
+
42
 
43
 /* determine full path name */
44
 char *
45
 th_get_pathname(TAR *t)
46
 {
47
        if (t->th_buf.gnu_longname)
48
-               return t->th_buf.gnu_longname;
49
+               return safer_name_suffix(t->th_buf.gnu_longname);
50
 
51
        size_t pathlen =
52
          strlen(t->th_buf.prefix) + strlen(t->th_buf.name) + 2;
53
@@ -43,12 +72,12 @@ th_get_pathname(TAR *t)
54
 
55
        if (t->th_buf.prefix[0] == '\0')
56
        {
57
-               snprintf(t->th_pathname, pathlen, "%.100s", t->th_buf.name);
58
+               snprintf(t->th_pathname, pathlen, "%.100s", safer_name_suffix(t->th_buf.name));
59
        }
60
        else
61
        {
62
                snprintf(t->th_pathname, pathlen, "%.155s/%.100s",
63
-                        t->th_buf.prefix, t->th_buf.name);
64
+                        t->th_buf.prefix, safer_name_suffix(t->th_buf.name));
65
        }
66
 
67
        /* will be deallocated in tar_close() */
68
--- a/lib/extract.c
69
+++ b/lib/extract.c
70
@@ -298,14 +298,14 @@ tar_extract_hardlink(TAR * t, char *real
71
        if (mkdirhier(dirname(filename)) == -1)
72
                return -1;
73
        libtar_hashptr_reset(&hp);
74
-       if (libtar_hash_getkey(t->h, &hp, th_get_linkname(t),
75
+       if (libtar_hash_getkey(t->h, &hp, safer_name_suffix(th_get_linkname(t)),
76
                               (libtar_matchfunc_t)libtar_str_match) != 0)
77
        {
78
                lnp = (char *)libtar_hashptr_data(&hp);
79
                linktgt = &lnp[strlen(lnp) + 1];
80
        }
81
        else
82
-               linktgt = th_get_linkname(t);
83
+               linktgt = safer_name_suffix(th_get_linkname(t));
84
 
85
 #ifdef DEBUG
86
        printf("  ==> extracting: %s (link to %s)\n", filename, linktgt);
87
@@ -343,9 +343,9 @@ tar_extract_symlink(TAR *t, char *realna
88
 
89
 #ifdef DEBUG
90
        printf("  ==> extracting: %s (symlink to %s)\n",
91
-              filename, th_get_linkname(t));
92
+              filename, safer_name_suffix(th_get_linkname(t)));
93
 #endif
94
-       if (symlink(th_get_linkname(t), filename) == -1)
95
+       if (symlink(safer_name_suffix(th_get_linkname(t)), filename) == -1)
96
        {
97
 #ifdef DEBUG
98
                perror("symlink()");
99
--- a/lib/internal.h
100
+++ b/lib/internal.h
101
@@ -21,3 +21,4 @@
102
 #define TLS_THREAD
103
 #endif
104
 
105
+char* safer_name_suffix(char const*);