aboutsummaryrefslogtreecommitdiff
path: root/archival
diff options
context:
space:
mode:
Diffstat (limited to 'archival')
-rw-r--r--archival/libarchive/data_extract_all.c42
-rw-r--r--archival/tar.c37
-rwxr-xr-xarchival/tar_symlink_attack16
3 files changed, 71 insertions, 24 deletions
diff --git a/archival/libarchive/data_extract_all.c b/archival/libarchive/data_extract_all.c
index 1830ffb8d..1ce927c2f 100644
--- a/archival/libarchive/data_extract_all.c
+++ b/archival/libarchive/data_extract_all.c
@@ -128,10 +128,11 @@ void FAST_FUNC data_extract_all(archive_handle_t *archive_handle)
res = link(hard_link, dst_name);
if (res != 0 && !(archive_handle->ah_flags & ARCHIVE_EXTRACT_QUIET)) {
/* shared message */
- bb_perror_msg("can't create %slink "
- "%s to %s", "hard",
+ bb_perror_msg("can't create %slink '%s' to '%s'",
+ "hard",
dst_name,
- hard_link);
+ hard_link
+ );
}
/* Hardlinks have no separate mode/ownership, skip chown/chmod */
goto ret;
@@ -178,15 +179,44 @@ void FAST_FUNC data_extract_all(archive_handle_t *archive_handle)
case S_IFLNK:
/* Symlink */
//TODO: what if file_header->link_target == NULL (say, corrupted tarball?)
+
+ /* To avoid a directory traversal attack via symlinks,
+ * for certain link targets postpone creation of symlinks.
+ *
+ * For example, consider a .tar created via:
+ * $ tar cvf bug.tar anything.txt
+ * $ ln -s /tmp symlink
+ * $ tar --append -f bug.tar symlink
+ * $ rm symlink
+ * $ mkdir symlink
+ * $ tar --append -f bug.tar symlink/evil.py
+ *
+ * This will result in an archive that contains:
+ * $ tar --list -f bug.tar
+ * anything.txt
+ * symlink [-> /tmp]
+ * symlink/evil.py
+ *
+ * Untarring bug.tar would otherwise place evil.py in '/tmp'.
+ */
+ if (file_header->link_target[0] == '/'
+ || strstr(file_header->link_target, "..")
+ ) {
+ llist_add_to(&archive_handle->symlink_placeholders,
+ xasprintf("%s%c%s", file_header->name, '\0', file_header->link_target)
+ );
+ break;
+ }
res = symlink(file_header->link_target, dst_name);
if (res != 0
&& !(archive_handle->ah_flags & ARCHIVE_EXTRACT_QUIET)
) {
/* shared message */
- bb_perror_msg("can't create %slink "
- "%s to %s", "sym",
+ bb_perror_msg("can't create %slink '%s' to '%s'",
+ "sym",
dst_name,
- file_header->link_target);
+ file_header->link_target
+ );
}
break;
case S_IFSOCK:
diff --git a/archival/tar.c b/archival/tar.c
index 0fc574dfd..280ded4e1 100644
--- a/archival/tar.c
+++ b/archival/tar.c
@@ -22,24 +22,6 @@
*
* Licensed under GPLv2 or later, see file LICENSE in this source tree.
*/
-/* TODO: security with -C DESTDIR option can be enhanced.
- * Consider tar file created via:
- * $ tar cvf bug.tar anything.txt
- * $ ln -s /tmp symlink
- * $ tar --append -f bug.tar symlink
- * $ rm symlink
- * $ mkdir symlink
- * $ tar --append -f bug.tar symlink/evil.py
- *
- * This will result in an archive which contains:
- * $ tar --list -f bug.tar
- * anything.txt
- * symlink
- * symlink/evil.py
- *
- * Untarring it puts evil.py in '/tmp' even if the -C DESTDIR is given.
- * This doesn't feel right, and IIRC GNU tar doesn't do that.
- */
//config:config TAR
//config: bool "tar (40 kb)"
@@ -296,6 +278,23 @@ static void chksum_and_xwrite(int fd, struct tar_header_t* hp)
xwrite(fd, hp, sizeof(*hp));
}
+static void replace_symlink_placeholders(llist_t *list)
+{
+ while (list) {
+ char *target;
+
+ target = list->data + strlen(list->data) + 1;
+ if (symlink(target, list->data)) {
+ /* shared message */
+ bb_error_msg_and_die("can't create %slink '%s' to '%s'",
+ "sym",
+ list->data, target
+ );
+ }
+ list = list->link;
+ }
+}
+
#if ENABLE_FEATURE_TAR_GNU_EXTENSIONS
static void writeLongname(int fd, int type, const char *name, int dir)
{
@@ -1252,6 +1251,8 @@ int tar_main(int argc UNUSED_PARAM, char **argv)
while (get_header_tar(tar_handle) == EXIT_SUCCESS)
bb_got_signal = EXIT_SUCCESS; /* saw at least one header, good */
+ replace_symlink_placeholders(tar_handle->symlink_placeholders);
+
/* Check that every file that should have been extracted was */
while (tar_handle->accept) {
if (!find_list_entry(tar_handle->reject, tar_handle->accept->data)
diff --git a/archival/tar_symlink_attack b/archival/tar_symlink_attack
new file mode 100755
index 000000000..35455f200
--- /dev/null
+++ b/archival/tar_symlink_attack
@@ -0,0 +1,16 @@
+#!/bin/sh
+# Makes "symlink attack" tarball (needs GNU tar for --append)
+
+true >anything.txt
+tar cvf tar_symlink_attack.tar anything.txt
+rm anything.txt
+
+ln -s /tmp symlink
+tar --append -f tar_symlink_attack.tar symlink
+rm symlink
+
+mkdir symlink
+echo BUG >symlink/bb_test_evilfile
+tar --append -f tar_symlink_attack.tar symlink/bb_test_evilfile
+rm symlink/bb_test_evilfile
+rmdir symlink