diff options
author | Rob Landley <rob@landley.net> | 2017-01-14 16:51:43 -0600 |
---|---|---|
committer | Rob Landley <rob@landley.net> | 2017-01-14 16:51:43 -0600 |
commit | ae7ea62eea205d2816e09070b034a588dbaaaa6a (patch) | |
tree | 6e2d7441e4ddb57ee705cbcd505fd8655d5a8a97 | |
parent | 354a6377ece47aa76b2ae25b44cf717a1e1c81e6 (diff) | |
download | toybox-ae7ea62eea205d2816e09070b034a588dbaaaa6a.tar.gz |
Quick and dirty fix for CVE-2016-6321 but seriously this is in pending
for a reason and I need to completely rewrite it.
-rw-r--r-- | toys/pending/tar.c | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/toys/pending/tar.c b/toys/pending/tar.c index d672d102..b6d27cb6 100644 --- a/toys/pending/tar.c +++ b/toys/pending/tar.c @@ -365,8 +365,16 @@ static void extract_to_disk(struct archive_handler *tar) struct stat ex; struct file_header *file_hdr = &tar->file_hdr; - if (file_hdr->name[strlen(file_hdr->name)-1] == '/') - file_hdr->name[strlen(file_hdr->name)-1] = 0; + flags = strlen(file_hdr->name); + if (flags>2) { + if (strstr(file_hdr->name, "/../") || !strcmp(file_hdr->name, "../") || + !strcmp(file_hdr->name+flags-3, "/..")) + { + error_msg("drop %s", file_hdr->name); + } + } + + if (file_hdr->name[flags-1] == '/') file_hdr->name[flags-1] = 0; //Regular file with preceding path if ((s = strrchr(file_hdr->name, '/'))) { if (mkpathat(AT_FDCWD, file_hdr->name, 00, 2) && errno !=EEXIST) { |