From bc9bbeb2b81001e8731cd2ae501c8fccc8d87cc7 Mon Sep 17 00:00:00 2001
From: Denys Vlasenko <vda.linux@googlemail.com>
Date: Thu, 10 Aug 2017 11:52:42 +0200
Subject: libarchive: do not extract unsafe symlinks unless
 $EXTRACT_UNSAFE_SYMLINKS=1

function                                             old     new   delta
unsafe_symlink_target                                  -     147    +147
unzip_main                                          2711    2732     +21
copy_file                                           1657    1678     +21
tar_main                                             999     971     -28
data_extract_all                                    1038     984     -54
------------------------------------------------------------------------------
(add/remove: 2/0 grow/shrink: 2/2 up/down: 189/-82)           Total: 107 bytes

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
---
 archival/unzip.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

(limited to 'archival/unzip.c')

diff --git a/archival/unzip.c b/archival/unzip.c
index 8ed9ae7d5..604166063 100644
--- a/archival/unzip.c
+++ b/archival/unzip.c
@@ -368,9 +368,15 @@ static void unzip_extract_symlink(zip_header_t *zip, const char *dst_fn)
 		target[xstate.mem_output_size] = '\0';
 #endif
 	}
+	if (!unsafe_symlink_target(target)) {
 //TODO: libbb candidate
-	if (symlink(target, dst_fn))
-		bb_perror_msg_and_die("can't create symlink '%s'", dst_fn);
+		if (symlink(target, dst_fn)) {
+			/* shared message */
+			bb_perror_msg_and_die("can't create %slink '%s' to '%s'",
+				"sym", dst_fn, target
+			);
+		}
+	}
 	free(target);
 }
 #endif
-- 
cgit v1.2.3-55-g6feb