aboutsummaryrefslogtreecommitdiff
path: root/toys
diff options
context:
space:
mode:
authorRob Landley <rob@landley.net>2017-01-14 16:51:43 -0600
committerRob Landley <rob@landley.net>2017-01-14 16:51:43 -0600
commitae7ea62eea205d2816e09070b034a588dbaaaa6a (patch)
tree6e2d7441e4ddb57ee705cbcd505fd8655d5a8a97 /toys
parent354a6377ece47aa76b2ae25b44cf717a1e1c81e6 (diff)
downloadtoybox-ae7ea62eea205d2816e09070b034a588dbaaaa6a.tar.gz
Quick and dirty fix for CVE-2016-6321 but seriously this is in pending
for a reason and I need to completely rewrite it.
Diffstat (limited to 'toys')
-rw-r--r--toys/pending/tar.c12
1 files changed, 10 insertions, 2 deletions
diff --git a/toys/pending/tar.c b/toys/pending/tar.c
index d672d102..b6d27cb6 100644
--- a/toys/pending/tar.c
+++ b/toys/pending/tar.c
@@ -365,8 +365,16 @@ static void extract_to_disk(struct archive_handler *tar)
struct stat ex;
struct file_header *file_hdr = &tar->file_hdr;
- if (file_hdr->name[strlen(file_hdr->name)-1] == '/')
- file_hdr->name[strlen(file_hdr->name)-1] = 0;
+ flags = strlen(file_hdr->name);
+ if (flags>2) {
+ if (strstr(file_hdr->name, "/../") || !strcmp(file_hdr->name, "../") ||
+ !strcmp(file_hdr->name+flags-3, "/.."))
+ {
+ error_msg("drop %s", file_hdr->name);
+ }
+ }
+
+ if (file_hdr->name[flags-1] == '/') file_hdr->name[flags-1] = 0;
//Regular file with preceding path
if ((s = strrchr(file_hdr->name, '/'))) {
if (mkpathat(AT_FDCWD, file_hdr->name, 00, 2) && errno !=EEXIST) {