diff options
| author | vda <vda@69ca8d6d-28ef-0310-b511-8ec308f3f277> | 2006-11-26 15:42:03 +0000 |
|---|---|---|
| committer | vda <vda@69ca8d6d-28ef-0310-b511-8ec308f3f277> | 2006-11-26 15:42:03 +0000 |
| commit | 48a92503e79c2345601821c4599ee25d1db35d66 (patch) | |
| tree | b9f58ac239a9fb05ed437d274e7a68fb160b60e3 | |
| parent | fffc31fe088d18146a765fe901a7a85175f624e2 (diff) | |
| download | busybox-w32-48a92503e79c2345601821c4599ee25d1db35d66.tar.gz busybox-w32-48a92503e79c2345601821c4599ee25d1db35d66.tar.bz2 busybox-w32-48a92503e79c2345601821c4599ee25d1db35d66.zip | |
tar: refuse to untar files with "/../" components
git-svn-id: svn://busybox.net/trunk/busybox@16672 69ca8d6d-28ef-0310-b511-8ec308f3f277
| -rw-r--r-- | archival/libunarchive/get_header_tar.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/archival/libunarchive/get_header_tar.c b/archival/libunarchive/get_header_tar.c index 583f6f811..66c3314a1 100644 --- a/archival/libunarchive/get_header_tar.c +++ b/archival/libunarchive/get_header_tar.c | |||
| @@ -157,7 +157,6 @@ char get_header_tar(archive_handle_t *archive_handle) | |||
| 157 | file_header->name = concat_path_file(tar.prefix, tar.name); | 157 | file_header->name = concat_path_file(tar.prefix, tar.name); |
| 158 | } else | 158 | } else |
| 159 | file_header->name = xstrdup(tar.name); | 159 | file_header->name = xstrdup(tar.name); |
| 160 | /* FIXME: add check for /../ attacks */ | ||
| 161 | } | 160 | } |
| 162 | 161 | ||
| 163 | /* Set bits 12-15 of the files mode */ | 162 | /* Set bits 12-15 of the files mode */ |
| @@ -244,6 +243,12 @@ char get_header_tar(archive_handle_t *archive_handle) | |||
| 244 | linkname = NULL; | 243 | linkname = NULL; |
| 245 | } | 244 | } |
| 246 | #endif | 245 | #endif |
| 246 | if (!strncmp(file_header->name, "/../"+1, 3) | ||
| 247 | || strstr(file_header->name, "/../") | ||
| 248 | ) { | ||
| 249 | bb_error_msg_and_die("name with '..' encountered: '%s'", | ||
| 250 | file_header->name); | ||
| 251 | } | ||
| 247 | 252 | ||
| 248 | /* Strip trailing '/' in directories */ | 253 | /* Strip trailing '/' in directories */ |
| 249 | /* Must be done after mode is set as '/' is used to check if its a directory */ | 254 | /* Must be done after mode is set as '/' is used to check if its a directory */ |