diff options
| author | Denys Vlasenko <vda.linux@googlemail.com> | 2015-02-10 01:30:43 +0100 |
|---|---|---|
| committer | Denys Vlasenko <vda.linux@googlemail.com> | 2015-02-10 01:30:43 +0100 |
| commit | 8c06bc6ba14949d945eff0abcabab885f1ef7680 (patch) | |
| tree | 438b36b8264a1b257d4fb3e6293dcda1a4ac9d35 /archival/unzip.c | |
| parent | 23cfaab47de7392c1ba7d601a05fb36da3629b28 (diff) | |
| download | busybox-w32-8c06bc6ba14949d945eff0abcabab885f1ef7680.tar.gz busybox-w32-8c06bc6ba14949d945eff0abcabab885f1ef7680.tar.bz2 busybox-w32-8c06bc6ba14949d945eff0abcabab885f1ef7680.zip | |
unzip: prevent attacks via malicious filenames
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
Diffstat (limited to 'archival/unzip.c')
| -rw-r--r-- | archival/unzip.c | 35 |
1 files changed, 24 insertions, 11 deletions
diff --git a/archival/unzip.c b/archival/unzip.c index 38a07e212..eed225677 100644 --- a/archival/unzip.c +++ b/archival/unzip.c | |||
| @@ -596,14 +596,18 @@ int unzip_main(int argc, char **argv) | |||
| 596 | /* Skip extra header bytes */ | 596 | /* Skip extra header bytes */ |
| 597 | unzip_skip(zip_header.formatted.extra_len); | 597 | unzip_skip(zip_header.formatted.extra_len); |
| 598 | 598 | ||
| 599 | /* Guard against "/abspath", "/../" and similar attacks */ | ||
| 600 | overlapping_strcpy(dst_fn, strip_unsafe_prefix(dst_fn)); | ||
| 601 | |||
| 599 | /* Filter zip entries */ | 602 | /* Filter zip entries */ |
| 600 | if (find_list_entry(zreject, dst_fn) | 603 | if (find_list_entry(zreject, dst_fn) |
| 601 | || (zaccept && !find_list_entry(zaccept, dst_fn)) | 604 | || (zaccept && !find_list_entry(zaccept, dst_fn)) |
| 602 | ) { /* Skip entry */ | 605 | ) { /* Skip entry */ |
| 603 | i = 'n'; | 606 | i = 'n'; |
| 604 | 607 | ||
| 605 | } else { /* Extract entry */ | 608 | } else { |
| 606 | if (listing) { /* List entry */ | 609 | if (listing) { |
| 610 | /* List entry */ | ||
| 607 | unsigned dostime = zip_header.formatted.modtime | (zip_header.formatted.moddate << 16); | 611 | unsigned dostime = zip_header.formatted.modtime | (zip_header.formatted.moddate << 16); |
| 608 | if (!verbose) { | 612 | if (!verbose) { |
| 609 | // " Length Date Time Name\n" | 613 | // " Length Date Time Name\n" |
| @@ -639,9 +643,11 @@ int unzip_main(int argc, char **argv) | |||
| 639 | total_size += zip_header.formatted.cmpsize; | 643 | total_size += zip_header.formatted.cmpsize; |
| 640 | } | 644 | } |
| 641 | i = 'n'; | 645 | i = 'n'; |
| 642 | } else if (dst_fd == STDOUT_FILENO) { /* Extracting to STDOUT */ | 646 | } else if (dst_fd == STDOUT_FILENO) { |
| 647 | /* Extracting to STDOUT */ | ||
| 643 | i = -1; | 648 | i = -1; |
| 644 | } else if (last_char_is(dst_fn, '/')) { /* Extract directory */ | 649 | } else if (last_char_is(dst_fn, '/')) { |
| 650 | /* Extract directory */ | ||
| 645 | if (stat(dst_fn, &stat_buf) == -1) { | 651 | if (stat(dst_fn, &stat_buf) == -1) { |
| 646 | if (errno != ENOENT) { | 652 | if (errno != ENOENT) { |
| 647 | bb_perror_msg_and_die("can't stat '%s'", dst_fn); | 653 | bb_perror_msg_and_die("can't stat '%s'", dst_fn); |
| @@ -655,22 +661,27 @@ int unzip_main(int argc, char **argv) | |||
| 655 | } | 661 | } |
| 656 | } else { | 662 | } else { |
| 657 | if (!S_ISDIR(stat_buf.st_mode)) { | 663 | if (!S_ISDIR(stat_buf.st_mode)) { |
| 658 | bb_error_msg_and_die("'%s' exists but is not directory", dst_fn); | 664 | bb_error_msg_and_die("'%s' exists but is not a %s", |
| 665 | dst_fn, "directory"); | ||
| 659 | } | 666 | } |
| 660 | } | 667 | } |
| 661 | i = 'n'; | 668 | i = 'n'; |
| 662 | 669 | ||
| 663 | } else { /* Extract file */ | 670 | } else { |
| 671 | /* Extract file */ | ||
| 664 | check_file: | 672 | check_file: |
| 665 | if (stat(dst_fn, &stat_buf) == -1) { /* File does not exist */ | 673 | if (stat(dst_fn, &stat_buf) == -1) { |
| 674 | /* File does not exist */ | ||
| 666 | if (errno != ENOENT) { | 675 | if (errno != ENOENT) { |
| 667 | bb_perror_msg_and_die("can't stat '%s'", dst_fn); | 676 | bb_perror_msg_and_die("can't stat '%s'", dst_fn); |
| 668 | } | 677 | } |
| 669 | i = 'y'; | 678 | i = 'y'; |
| 670 | } else { /* File already exists */ | 679 | } else { |
| 680 | /* File already exists */ | ||
| 671 | if (overwrite == O_NEVER) { | 681 | if (overwrite == O_NEVER) { |
| 672 | i = 'n'; | 682 | i = 'n'; |
| 673 | } else if (S_ISREG(stat_buf.st_mode)) { /* File is regular file */ | 683 | } else if (S_ISREG(stat_buf.st_mode)) { |
| 684 | /* File is regular file */ | ||
| 674 | if (overwrite == O_ALWAYS) { | 685 | if (overwrite == O_ALWAYS) { |
| 675 | i = 'y'; | 686 | i = 'y'; |
| 676 | } else { | 687 | } else { |
| @@ -678,8 +689,10 @@ int unzip_main(int argc, char **argv) | |||
| 678 | my_fgets80(key_buf); | 689 | my_fgets80(key_buf); |
| 679 | i = key_buf[0]; | 690 | i = key_buf[0]; |
| 680 | } | 691 | } |
| 681 | } else { /* File is not regular file */ | 692 | } else { |
| 682 | bb_error_msg_and_die("'%s' exists but is not regular file", dst_fn); | 693 | /* File is not regular file */ |
| 694 | bb_error_msg_and_die("'%s' exists but is not a %s", | ||
| 695 | dst_fn, "regular file"); | ||
| 683 | } | 696 | } |
| 684 | } | 697 | } |
| 685 | } | 698 | } |