From ae7ea62eea205d2816e09070b034a588dbaaaa6a Mon Sep 17 00:00:00 2001 From: Rob Landley Date: Sat, 14 Jan 2017 16:51:43 -0600 Subject: Quick and dirty fix for CVE-2016-6321 but seriously this is in pending for a reason and I need to completely rewrite it. --- toys/pending/tar.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) (limited to 'toys/pending') diff --git a/toys/pending/tar.c b/toys/pending/tar.c index d672d102..b6d27cb6 100644 --- a/toys/pending/tar.c +++ b/toys/pending/tar.c @@ -365,8 +365,16 @@ static void extract_to_disk(struct archive_handler *tar) struct stat ex; struct file_header *file_hdr = &tar->file_hdr; - if (file_hdr->name[strlen(file_hdr->name)-1] == '/') - file_hdr->name[strlen(file_hdr->name)-1] = 0; + flags = strlen(file_hdr->name); + if (flags>2) { + if (strstr(file_hdr->name, "/../") || !strcmp(file_hdr->name, "../") || + !strcmp(file_hdr->name+flags-3, "/..")) + { + error_msg("drop %s", file_hdr->name); + } + } + + if (file_hdr->name[flags-1] == '/') file_hdr->name[flags-1] = 0; //Regular file with preceding path if ((s = strrchr(file_hdr->name, '/'))) { if (mkpathat(AT_FDCWD, file_hdr->name, 00, 2) && errno !=EEXIST) { -- cgit v1.2.3