aboutsummaryrefslogtreecommitdiff
path: root/archival
diff options
context:
space:
mode:
Diffstat (limited to 'archival')
-rw-r--r--archival/libarchive/data_extract_all.c42
-rw-r--r--archival/tar.c37
-rwxr-xr-xarchival/tar_symlink_attack16
-rw-r--r--archival/unzip.c1
4 files changed, 72 insertions, 24 deletions
diff --git a/archival/libarchive/data_extract_all.c b/archival/libarchive/data_extract_all.c
index 1830ffb8d..1ce927c2f 100644
--- a/archival/libarchive/data_extract_all.c
+++ b/archival/libarchive/data_extract_all.c
@@ -128,10 +128,11 @@ void FAST_FUNC data_extract_all(archive_handle_t *archive_handle)
128 res = link(hard_link, dst_name); 128 res = link(hard_link, dst_name);
129 if (res != 0 && !(archive_handle->ah_flags & ARCHIVE_EXTRACT_QUIET)) { 129 if (res != 0 && !(archive_handle->ah_flags & ARCHIVE_EXTRACT_QUIET)) {
130 /* shared message */ 130 /* shared message */
131 bb_perror_msg("can't create %slink " 131 bb_perror_msg("can't create %slink '%s' to '%s'",
132 "%s to %s", "hard", 132 "hard",
133 dst_name, 133 dst_name,
134 hard_link); 134 hard_link
135 );
135 } 136 }
136 /* Hardlinks have no separate mode/ownership, skip chown/chmod */ 137 /* Hardlinks have no separate mode/ownership, skip chown/chmod */
137 goto ret; 138 goto ret;
@@ -178,15 +179,44 @@ void FAST_FUNC data_extract_all(archive_handle_t *archive_handle)
178 case S_IFLNK: 179 case S_IFLNK:
179 /* Symlink */ 180 /* Symlink */
180//TODO: what if file_header->link_target == NULL (say, corrupted tarball?) 181//TODO: what if file_header->link_target == NULL (say, corrupted tarball?)
182
183 /* To avoid a directory traversal attack via symlinks,
184 * for certain link targets postpone creation of symlinks.
185 *
186 * For example, consider a .tar created via:
187 * $ tar cvf bug.tar anything.txt
188 * $ ln -s /tmp symlink
189 * $ tar --append -f bug.tar symlink
190 * $ rm symlink
191 * $ mkdir symlink
192 * $ tar --append -f bug.tar symlink/evil.py
193 *
194 * This will result in an archive that contains:
195 * $ tar --list -f bug.tar
196 * anything.txt
197 * symlink [-> /tmp]
198 * symlink/evil.py
199 *
200 * Untarring bug.tar would otherwise place evil.py in '/tmp'.
201 */
202 if (file_header->link_target[0] == '/'
203 || strstr(file_header->link_target, "..")
204 ) {
205 llist_add_to(&archive_handle->symlink_placeholders,
206 xasprintf("%s%c%s", file_header->name, '\0', file_header->link_target)
207 );
208 break;
209 }
181 res = symlink(file_header->link_target, dst_name); 210 res = symlink(file_header->link_target, dst_name);
182 if (res != 0 211 if (res != 0
183 && !(archive_handle->ah_flags & ARCHIVE_EXTRACT_QUIET) 212 && !(archive_handle->ah_flags & ARCHIVE_EXTRACT_QUIET)
184 ) { 213 ) {
185 /* shared message */ 214 /* shared message */
186 bb_perror_msg("can't create %slink " 215 bb_perror_msg("can't create %slink '%s' to '%s'",
187 "%s to %s", "sym", 216 "sym",
188 dst_name, 217 dst_name,
189 file_header->link_target); 218 file_header->link_target
219 );
190 } 220 }
191 break; 221 break;
192 case S_IFSOCK: 222 case S_IFSOCK:
diff --git a/archival/tar.c b/archival/tar.c
index 4d1db4934..d90a5dc4f 100644
--- a/archival/tar.c
+++ b/archival/tar.c
@@ -22,24 +22,6 @@
22 * 22 *
23 * Licensed under GPLv2 or later, see file LICENSE in this source tree. 23 * Licensed under GPLv2 or later, see file LICENSE in this source tree.
24 */ 24 */
25/* TODO: security with -C DESTDIR option can be enhanced.
26 * Consider tar file created via:
27 * $ tar cvf bug.tar anything.txt
28 * $ ln -s /tmp symlink
29 * $ tar --append -f bug.tar symlink
30 * $ rm symlink
31 * $ mkdir symlink
32 * $ tar --append -f bug.tar symlink/evil.py
33 *
34 * This will result in an archive which contains:
35 * $ tar --list -f bug.tar
36 * anything.txt
37 * symlink
38 * symlink/evil.py
39 *
40 * Untarring it puts evil.py in '/tmp' even if the -C DESTDIR is given.
41 * This doesn't feel right, and IIRC GNU tar doesn't do that.
42 */
43 25
44//config:config TAR 26//config:config TAR
45//config: bool "tar (40 kb)" 27//config: bool "tar (40 kb)"
@@ -296,6 +278,23 @@ static void chksum_and_xwrite(int fd, struct tar_header_t* hp)
296 xwrite(fd, hp, sizeof(*hp)); 278 xwrite(fd, hp, sizeof(*hp));
297} 279}
298 280
281static void replace_symlink_placeholders(llist_t *list)
282{
283 while (list) {
284 char *target;
285
286 target = list->data + strlen(list->data) + 1;
287 if (symlink(target, list->data)) {
288 /* shared message */
289 bb_error_msg_and_die("can't create %slink '%s' to '%s'",
290 "sym",
291 list->data, target
292 );
293 }
294 list = list->link;
295 }
296}
297
299#if ENABLE_FEATURE_TAR_GNU_EXTENSIONS 298#if ENABLE_FEATURE_TAR_GNU_EXTENSIONS
300static void writeLongname(int fd, int type, const char *name, int dir) 299static void writeLongname(int fd, int type, const char *name, int dir)
301{ 300{
@@ -1281,6 +1280,8 @@ int tar_main(int argc UNUSED_PARAM, char **argv)
1281 while (get_header_tar(tar_handle) == EXIT_SUCCESS) 1280 while (get_header_tar(tar_handle) == EXIT_SUCCESS)
1282 bb_got_signal = EXIT_SUCCESS; /* saw at least one header, good */ 1281 bb_got_signal = EXIT_SUCCESS; /* saw at least one header, good */
1283 1282
1283 replace_symlink_placeholders(tar_handle->symlink_placeholders);
1284
1284 /* Check that every file that should have been extracted was */ 1285 /* Check that every file that should have been extracted was */
1285 while (tar_handle->accept) { 1286 while (tar_handle->accept) {
1286 if (!find_list_entry(tar_handle->reject, tar_handle->accept->data) 1287 if (!find_list_entry(tar_handle->reject, tar_handle->accept->data)
diff --git a/archival/tar_symlink_attack b/archival/tar_symlink_attack
new file mode 100755
index 000000000..35455f200
--- /dev/null
+++ b/archival/tar_symlink_attack
@@ -0,0 +1,16 @@
1#!/bin/sh
2# Makes "symlink attack" tarball (needs GNU tar for --append)
3
4true >anything.txt
5tar cvf tar_symlink_attack.tar anything.txt
6rm anything.txt
7
8ln -s /tmp symlink
9tar --append -f tar_symlink_attack.tar symlink
10rm symlink
11
12mkdir symlink
13echo BUG >symlink/bb_test_evilfile
14tar --append -f tar_symlink_attack.tar symlink/bb_test_evilfile
15rm symlink/bb_test_evilfile
16rmdir symlink
diff --git a/archival/unzip.c b/archival/unzip.c
index 4c4feda82..0dd18a75d 100644
--- a/archival/unzip.c
+++ b/archival/unzip.c
@@ -117,6 +117,7 @@ typedef union {
117 117
118#define FIX_ENDIANNESS_ZIP(zip) \ 118#define FIX_ENDIANNESS_ZIP(zip) \
119do { if (BB_BIG_ENDIAN) { \ 119do { if (BB_BIG_ENDIAN) { \
120 (zip).fmt.method = SWAP_LE16((zip).fmt.method ); \
120 (zip).fmt.crc32 = SWAP_LE32((zip).fmt.crc32 ); \ 121 (zip).fmt.crc32 = SWAP_LE32((zip).fmt.crc32 ); \
121 (zip).fmt.cmpsize = SWAP_LE32((zip).fmt.cmpsize ); \ 122 (zip).fmt.cmpsize = SWAP_LE32((zip).fmt.cmpsize ); \
122 (zip).fmt.ucmpsize = SWAP_LE32((zip).fmt.ucmpsize ); \ 123 (zip).fmt.ucmpsize = SWAP_LE32((zip).fmt.ucmpsize ); \
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-27 21:49:25 +0000