emo/busybox
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

libarchive: do not extract unsafe symlinks unless $EXTRACT_UNSAFE_SYMLINKS=1

Browse Source 
function                                             old     new   delta
unsafe_symlink_target                                  -     147    +147
unzip_main                                          2711    2732     +21
copy_file                                           1657    1678     +21
tar_main                                             999     971     -28
data_extract_all                                    1038     984     -54
------------------------------------------------------------------------------
(add/remove: 2/0 grow/shrink: 2/2 up/down: 189/-82)           Total: 107 bytes

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
This commit is contained in:
Denys Vlasenko
2017-08-10 11:52:42 +02:00
parent 0cf64c8b5d
commit bc9bbeb2b8
9 changed files with 85 additions and 55 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
testsuite/tar.tests
View File

@@ -279,7 +279,7 @@ optional UUDECODE FEATURE_TAR_AUTODETECT FEATURE_SEAMLESS_BZ2
testing "tar does not extract into symlinks" "\
>>/tmp/passwd && uudecode -o input && tar xf input 2>&1 && rm passwd; cat /tmp/passwd; echo \$?
" "\
tar: can't create symlink 'passwd' to '/tmp/passwd'
tar: skipping unsafe symlink to '/tmp/passwd' in archive, set EXTRACT_UNSAFE_SYMLINKS=1 to extract
0
" \
"" "\
@@ -299,7 +299,7 @@ optional UUDECODE FEATURE_TAR_AUTODETECT FEATURE_SEAMLESS_BZ2
testing "tar -k does not extract into symlinks" "\
>>/tmp/passwd && uudecode -o input && tar xf input -k 2>&1 && rm passwd; cat /tmp/passwd; echo \$?
" "\
tar: can't create symlink 'passwd' to '/tmp/passwd'
tar: skipping unsafe symlink to '/tmp/passwd' in archive, set EXTRACT_UNSAFE_SYMLINKS=1 to extract
0
" \
"" "\
@@ -324,11 +324,11 @@ rm -rf etc usr
' "\
etc/ssl/certs/3b2716e5.0
etc/ssl/certs/EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.pem
tar: skipping unsafe symlink to '/usr/share/ca-certificates/mozilla/EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.crt' in archive, set EXTRACT_UNSAFE_SYMLINKS=1 to extract
etc/ssl/certs/f80cc7f6.0
usr/share/ca-certificates/mozilla/EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.crt
0
etc/ssl/certs/3b2716e5.0 -> EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.pem
etc/ssl/certs/EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.pem -> /usr/share/ca-certificates/mozilla/EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.crt
etc/ssl/certs/f80cc7f6.0 -> EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.pem
" \
"" ""
@@ -346,9 +346,9 @@ ls symlink/bb_test_evilfile
' "\
anything.txt
symlink
tar: skipping unsafe symlink to '/tmp' in archive, set EXTRACT_UNSAFE_SYMLINKS=1 to extract
symlink/bb_test_evilfile
tar: can't create symlink 'symlink' to '/tmp'
1
0
ls: /tmp/bb_test_evilfile: No such file or directory
ls: bb_test_evilfile: No such file or directory
symlink/bb_test_evilfile