emo/busybox
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

unzip: prevent attacks via malicious filenames

Browse Source 
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
This commit is contained in:
Denys Vlasenko
2015-02-10 01:30:43 +01:00
parent 23cfaab47d
commit 8c06bc6ba1
4 changed files with 63 additions and 43 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
archival/libarchive/get_header_tar.c
View File

@ -17,36 +17,6 @@
typedef uint32_t aliased_uint32_t FIX_ALIASING;
typedef off_t aliased_off_t FIX_ALIASING;
const char* FAST_FUNC strip_unsafe_prefix(const char *str)
{
const char *cp = str;
while (1) {
char *cp2;
if (*cp == '/') {
cp++;
continue;
}
if (strncmp(cp, "/../"+1, 3) == 0) {
cp += 3;
continue;
}
cp2 = strstr(cp, "/../");
if (!cp2)
break;
cp = cp2 + 4;
}
if (cp != str) {
static smallint warned = 0;
if (!warned) {
warned = 1;
bb_error_msg("removing leading '%.*s' from member names",
(int)(cp - str), str);
}
}
return cp;
}
/* NB: _DESTROYS_ str[len] character! */
static unsigned long long getOctal(char *str, int len)
{