Fix security bug in contains_dot_dot routine.

PR: 43575 Submitted by: Brett Glass <brett@lariat.org> X-MFC after: immediately
svn path=/head/; revision=105437
2002-10-19 09:32:03 +00:00 · 2002-10-19 09:32:03 +00:00 · be23b71211 · 2020-12-20 02:59:44 +00:00
commit be23b71211
parent 68aff0840c
2 changed files with 17 additions and 1 deletions
--- a/contrib/tar/src/extract.c
+++ b/contrib/tar/src/extract.c
@ -1026,10 +1026,19 @@ extract_archive (void)
      {
 	struct stat st1, st2;
 	int e;
+	size_t skiplinkcrud;
+
+	if (absolute_names_option)
+	  skiplinkcrud = 0;
+	else {
+	  skiplinkcrud = FILESYSTEM_PREFIX_LEN (current_link_name);
+	  while (ISSLASH (current_link_name[skiplinkcrud]))
+	    skiplinkcrud++;
+	}

 	/* MSDOS does not implement links.  However, djgpp's link() actually
 	   copies the file.  */
-	status = link (current_link_name, CURRENT_FILE_NAME);
+	status = link (current_link_name + skiplinkcrud, CURRENT_FILE_NAME);

 	if (status == 0)
 	  {
--- a/contrib/tar/src/misc.c
+++ b/contrib/tar/src/misc.c
@ -216,6 +216,13 @@ contains_dot_dot (char const *name)
 	    return 0;
 	}
      while (! ISSLASH (*p));
+
+      do
+	{
+	  if (! *p++)
+	    return 0;
+	}
+      while ( ISSLASH (*p));
    }
 }