From ae7ea62eea205d2816e09070b034a588dbaaaa6a Mon Sep 17 00:00:00 2001
From: Rob Landley <rob@landley.net>
Date: Sat, 14 Jan 2017 16:51:43 -0600
Subject: Quick and dirty fix for CVE-2016-6321 but seriously this is in
 pending for a reason and I need to completely rewrite it.

---
 toys/pending/tar.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/toys/pending/tar.c b/toys/pending/tar.c
index d672d102..b6d27cb6 100644
--- a/toys/pending/tar.c
+++ b/toys/pending/tar.c
@@ -365,8 +365,16 @@ static void extract_to_disk(struct archive_handler *tar)
   struct stat ex;
   struct file_header *file_hdr = &tar->file_hdr;
 
-  if (file_hdr->name[strlen(file_hdr->name)-1] == '/')
-    file_hdr->name[strlen(file_hdr->name)-1] = 0;
+  flags = strlen(file_hdr->name);
+  if (flags>2) {
+    if (strstr(file_hdr->name, "/../") || !strcmp(file_hdr->name, "../") ||
+        !strcmp(file_hdr->name+flags-3, "/.."))
+    {
+      error_msg("drop %s", file_hdr->name);
+    }
+  }
+
+  if (file_hdr->name[flags-1] == '/') file_hdr->name[flags-1] = 0;
   //Regular file with preceding path
   if ((s = strrchr(file_hdr->name, '/'))) {
     if (mkpathat(AT_FDCWD, file_hdr->name, 00, 2) && errno !=EEXIST) {
-- 
cgit v1.2.3