ar: Disallow directory traversal

Set ARCHIVE_EXTRACT_SECURE_SYMLINKS and ARCHIVE_EXTRACT_SECURE_NODOTDOT
as in bsdtar to prevent extraction of archive entries whose pathnames
contain .. or whose target directory would be altered by a symlink.
Also disallow absolute pathnames.

We don't currently provide an option to disable this behaviour (as
bsdtar's -P does). It is unlikely to be a problem in practice for ar(1),
but the -P option is not currently used and available if we want to
consider it for this purpose.

Differential Revision:	https://reviews.freebsd.org/D1524
Reported by:	Alexander Cherepanov <cherepan@mccme.ru>
Approved by:	delphij
Obtained from:	ELF tool chain ar, Ticket #474
MFC after:	1 week
Relnotes:	Yes
Sponsored by:	The FreeBSD Foundation
This commit is contained in:
Ed Maste 2015-04-09 13:45:17 +00:00
parent 0ada3afc25
commit 56ad941995

View File

@ -187,7 +187,15 @@ read_archive(struct bsdar *bsdar, char mode)
if (bsdar->options & AR_V)
(void)fprintf(stdout, "x - %s\n", name);
flags = 0;
/* Disallow absolute paths. */
if (name[0] == '/') {
bsdar_warnc(bsdar, 0,
"Absolute path '%s'", name);
continue;
}
/* Basic path security flags. */
flags = ARCHIVE_EXTRACT_SECURE_SYMLINKS | \
ARCHIVE_EXTRACT_SECURE_NODOTDOT;
if (bsdar->options & AR_O)
flags |= ARCHIVE_EXTRACT_TIME;