Merge branch 'busybox' into merge

author: Ron Yorston <rmy@pobox.com> 2017-08-22 14:56:12 +0100
committer: Ron Yorston <rmy@pobox.com> 2017-08-22 14:56:12 +0100
commit: ce9af1cc5ea23f754587448cf35b5120c77bfeef (patch)
tree: 69e5eaba5e75ab909ed92d5045393471b8ff3c13 /archival/libarchive
parent: c170026700eabb10147dd848c45c06995b43a32e (diff)
parent: e837a0dbbebf4229306df98fe9ee3b9bb30630c4 (diff)
download: busybox-w32-ce9af1cc5ea23f754587448cf35b5120c77bfeef.tar.gz
busybox-w32-ce9af1cc5ea23f754587448cf35b5120c77bfeef.tar.bz2
busybox-w32-ce9af1cc5ea23f754587448cf35b5120c77bfeef.zip
5 files changed, 93 insertions, 35 deletions
diff --git a/archival/libarchive/Kbuild.src b/archival/libarchive/Kbuild.src
index 942e755b9..e1a8a7529 100644
--- a/archival/libarchive/Kbuild.src
+++ b/archival/libarchive/Kbuild.src
@@ -12,6 +12,8 @@ COMMON_FILES:= \
        data_extract_all.o \
        data_extract_to_stdout.o \
 \
+        unsafe_symlink_target.o \
+\
        filter_accept_all.o \
        filter_accept_list.o \
        filter_accept_reject_list.o \
diff --git a/archival/libarchive/data_extract_all.c b/archival/libarchive/data_extract_all.c
index 1ce927c2f..e658444e0 100644
--- a/archival/libarchive/data_extract_all.c
+++ b/archival/libarchive/data_extract_all.c
@@ -129,9 +129,7 @@ void FAST_FUNC data_extract_all(archive_handle_t *archive_handle)
                if (res != 0 && !(archive_handle->ah_flags & ARCHIVE_EXTRACT_QUIET)) {
                        /* shared message */
                        bb_perror_msg("can't create %slink '%s' to '%s'",
-                                        "hard",
+                                "hard", dst_name, hard_link
-                                        dst_name,
-                                        hard_link
                        );
                }
                /* Hardlinks have no separate mode/ownership, skip chown/chmod */
@@ -181,7 +179,9 @@ void FAST_FUNC data_extract_all(archive_handle_t *archive_handle)
 //TODO: what if file_header->link_target == NULL (say, corrupted tarball?)
                /* To avoid a directory traversal attack via symlinks,
-                 * for certain link targets postpone creation of symlinks.
+                 * do not restore symlinks with ".." components
+                 * or symlinks starting with "/", unless a magic
+                 * envvar is set.
                 *
                 * For example, consider a .tar created via:
                 *  $ tar cvf bug.tar anything.txt
@@ -199,24 +199,17 @@ void FAST_FUNC data_extract_all(archive_handle_t *archive_handle)
                 *
                 * Untarring bug.tar would otherwise place evil.py in '/tmp'.
                 */
-                if (file_header->link_target[0] == '/'
+                if (!unsafe_symlink_target(file_header->link_target)) {
-                 || strstr(file_header->link_target, "..")
+                        res = symlink(file_header->link_target, dst_name);
-                ) {
+                        if (res != 0
-                        llist_add_to(&archive_handle->symlink_placeholders,
+                         && !(archive_handle->ah_flags & ARCHIVE_EXTRACT_QUIET)
-                                xasprintf("%s%c%s", file_header->name, '\0', file_header->link_target)
+                        ) {
-                        );
+                                /* shared message */
-                        break;
+                                bb_perror_msg("can't create %slink '%s' to '%s'",
-                }
+                                        "sym",
-                res = symlink(file_header->link_target, dst_name);
+                                        dst_name, file_header->link_target
-                if (res != 0
+                                );
-                 && !(archive_handle->ah_flags & ARCHIVE_EXTRACT_QUIET)
+                        }
-                ) {
-                        /* shared message */
-                        bb_perror_msg("can't create %slink '%s' to '%s'",
-                                "sym",
-                                dst_name,
-                                file_header->link_target
-                        );
                }
                break;
        case S_IFSOCK:
diff --git a/archival/libarchive/decompress_unxz.c b/archival/libarchive/decompress_unxz.c
index 350e5358a..0be85500c 100644
--- a/archival/libarchive/decompress_unxz.c
+++ b/archival/libarchive/decompress_unxz.c
@@ -37,7 +37,6 @@ static uint32_t xz_crc32(const uint8_t *buf, size_t size, uint32_t crc)
 || !defined(put_unaligned_be32)
 # error get_unaligned_le32 accessors are not defined
 #endif
-#define get_le32(p) (*(uint32_t*)(p))
 #include "unxz/xz_dec_bcj.c"
 #include "unxz/xz_dec_lzma2.c"
diff --git a/archival/libarchive/open_transformer.c b/archival/libarchive/open_transformer.c
index 641256787..7d912152c 100644
--- a/archival/libarchive/open_transformer.c
+++ b/archival/libarchive/open_transformer.c
@@ -251,18 +251,8 @@ static transformer_state_t *setup_transformer_on_fd(int fd, int fail_if_not_comp
        return xstate;
 }
-/* Used by e.g. rpm which gives us a fd without filename,
+static void fork_transformer_and_free(transformer_state_t *xstate)
- * thus we can't guess the format from filename's extension.
- */
-int FAST_FUNC setup_unzip_on_fd(int fd, int fail_if_not_compressed)
 {
-        transformer_state_t *xstate = setup_transformer_on_fd(fd, fail_if_not_compressed);
-        if (!xstate || !xstate->xformer) {
-                free(xstate);
-                return 1;
-        }
 # if BB_MMU
        fork_transformer_with_no_sig(xstate->src_fd, xstate->xformer);
 # else
@@ -270,13 +260,39 @@ int FAST_FUNC setup_unzip_on_fd(int fd, int fail_if_not_compressed)
         * an external unzipper that wants
         * file position at the start of the file.
         */
-        xlseek(fd, - xstate->signature_skipped, SEEK_CUR);
+        xlseek(xstate->src_fd, - xstate->signature_skipped, SEEK_CUR);
        xstate->signature_skipped = 0;
        fork_transformer_with_sig(xstate->src_fd, xstate->xformer, xstate->xformer_prog);
 # endif
        free(xstate);
+}
+/* Used by e.g. rpm which gives us a fd without filename,
+ * thus we can't guess the format from filename's extension.
+ */
+int FAST_FUNC setup_unzip_on_fd(int fd, int fail_if_not_compressed)
+{
+        transformer_state_t *xstate = setup_transformer_on_fd(fd, fail_if_not_compressed);
+        if (!xstate->xformer) {
+                free(xstate);
+                return 1;
+        }
+        fork_transformer_and_free(xstate);
        return 0;
 }
+#if ENABLE_FEATURE_SEAMLESS_LZMA
+/* ...and custom version for LZMA */
+void FAST_FUNC setup_lzma_on_fd(int fd)
+{
+        transformer_state_t *xstate = xzalloc(sizeof(*xstate));
+        xstate->src_fd = fd;
+        xstate->xformer = unpack_lzma_stream;
+        USE_FOR_NOMMU(xstate->xformer_prog = "unlzma";)
+        fork_transformer_and_free(xstate);
+}
+#endif
 static transformer_state_t *open_transformer(const char *fname, int fail_if_not_compressed)
 {
diff --git a/archival/libarchive/unsafe_symlink_target.c b/archival/libarchive/unsafe_symlink_target.c
new file mode 100644
index 000000000..441ba8b24
--- /dev/null
+++ b/archival/libarchive/unsafe_symlink_target.c
@@ -0,0 +1,48 @@
+/* vi: set sw=4 ts=4: */
+/*
+ * Licensed under GPLv2 or later, see file LICENSE in this source tree.
+ */
+#include "libbb.h"
+#include "bb_archive.h"
+int FAST_FUNC unsafe_symlink_target(const char *target)
+{
+        const char *dot;
+        if (target[0] == '/') {
+                const char *var;
+ unsafe:
+                var = getenv("EXTRACT_UNSAFE_SYMLINKS");
+                if (var) {
+                        if (LONE_CHAR(var, '1'))
+                                return 0; /* pretend it's safe */
+                        return 1; /* "UNSAFE!" */
+                }
+                bb_error_msg("skipping unsafe symlink to '%s' in archive,"
+                        " set %s=1 to extract",
+                        target,
+                        "EXTRACT_UNSAFE_SYMLINKS"
+                );
+                /* Prevent further messages */
+                setenv("EXTRACT_UNSAFE_SYMLINKS", "0", 0);
+                return 1; /* "UNSAFE!" */
+        }
+        dot = target;
+        for (;;) {
+                dot = strchr(dot, '.');
+                if (!dot)
+                        return 0; /* safe target */
+                /* Is it a path component starting with ".."? */
+                if ((dot[1] == '.')
+                 && (dot == target || dot[-1] == '/')
+                    /* Is it exactly ".."? */
+                 && (dot[2] == '/' || dot[2] == '\0')
+                ) {
+                        goto unsafe;
+                }
+                /* NB: it can even be trailing ".", should only add 1 */
+                dot += 1;
+        }
+}
author	Ron Yorston <rmy@pobox.com>	2017-08-22 14:56:12 +0100
committer	Ron Yorston <rmy@pobox.com>	2017-08-22 14:56:12 +0100
commit	ce9af1cc5ea23f754587448cf35b5120c77bfeef (patch)
tree	69e5eaba5e75ab909ed92d5045393471b8ff3c13 /archival/libarchive
parent	c170026700eabb10147dd848c45c06995b43a32e (diff)
parent	e837a0dbbebf4229306df98fe9ee3b9bb30630c4 (diff)
download	busybox-w32-ce9af1cc5ea23f754587448cf35b5120c77bfeef.tar.gz busybox-w32-ce9af1cc5ea23f754587448cf35b5120c77bfeef.tar.bz2 busybox-w32-ce9af1cc5ea23f754587448cf35b5120c77bfeef.zip