Subversion Repositories

Author: Raphael Geissert <geissert@debian.org>

Bug-Debian: https://bugs.debian.org/731860

Description: Avoid directory traversal when extracting archives

 by skipping over leading slashes and any prefix containing ".." components.

Forwarded: yes

--- a/lib/decode.c

+++ b/lib/decode.c

@@ -21,13 +21,42 @@

 # include <string.h>

 #endif

+char *

+safer_name_suffix (char const *file_name)

+{

+       char const *p, *t;

+       p = t = file_name;

+       while (*p == '/') t = ++p;

+       while (*p)

+       {

+               while (p[0] == '.' && p[0] == p[1] && p[2] == '/')

+               {

+                       p += 3;

+                       t = p;

+               }

+               /* advance pointer past the next slash */

+               while (*p && (p++)[0] != '/');

+       }

+

+       if (!*t)

+       {

+               t = ".";

+       }

+

+       if (t != file_name)

+       {

+               /* TODO: warn somehow that the path was modified */

+       }

+       return (char*)t;

+}

+

 /* determine full path name */

 char *

 th_get_pathname(TAR *t)

 {

        if (t->th_buf.gnu_longname)

-               return t->th_buf.gnu_longname;

+               return safer_name_suffix(t->th_buf.gnu_longname);

        /* allocate the th_pathname buffer if not already */

        if (t->th_pathname == NULL)

@@ -50,7 +79,7 @@ th_get_pathname(TAR *t)

        }

        /* will be deallocated in tar_close() */

-       return t->th_pathname;

+       return safer_name_suffix(t->th_pathname);

 }

--- a/lib/extract.c

+++ b/lib/extract.c

@@ -298,14 +298,14 @@ tar_extract_hardlink(TAR * t, char *real

        if (mkdirhier(dirname(filename)) == -1)

                return -1;

        libtar_hashptr_reset(&hp);

-       if (libtar_hash_getkey(t->h, &hp, th_get_linkname(t),

+       if (libtar_hash_getkey(t->h, &hp, safer_name_suffix(th_get_linkname(t)),

                               (libtar_matchfunc_t)libtar_str_match) != 0)

        {

                lnp = (char *)libtar_hashptr_data(&hp);

                linktgt = &lnp[strlen(lnp) + 1];

        }

        else

-               linktgt = th_get_linkname(t);

+               linktgt = safer_name_suffix(th_get_linkname(t));

 #ifdef DEBUG

        printf("  ==> extracting: %s (link to %s)\n", filename, linktgt);

@@ -343,9 +343,9 @@ tar_extract_symlink(TAR *t, char *realna

 #ifdef DEBUG

        printf("  ==> extracting: %s (symlink to %s)\n",

-              filename, th_get_linkname(t));

+              filename, safer_name_suffix(th_get_linkname(t)));

 #endif

-       if (symlink(th_get_linkname(t), filename) == -1)

+       if (symlink(safer_name_suffix(th_get_linkname(t)), filename) == -1)

        {

 #ifdef DEBUG

                perror("symlink()");

--- a/lib/internal.h

+++ b/lib/internal.h

@@ -21,3 +21,4 @@

 #define TLS_THREAD

 #endif

+char* safer_name_suffix(char const*);

--- a/lib/output.c

+++ b/lib/output.c

@@ -123,9 +123,9 @@ th_print_long_ls(TAR *t)

                else

                        printf(" link to ");

                if ((t->options & TAR_GNU) && t->th_buf.gnu_longlink != NULL)

-                       printf("%s", t->th_buf.gnu_longlink);

+                       printf("%s", safer_name_suffix(t->th_buf.gnu_longlink));

                else

-                       printf("%.100s", t->th_buf.linkname);

+                       printf("%.100s", safer_name_suffix(t->th_buf.linkname));

        }

        putchar('\n');