Attachment #165785 for bug #206386

Lines 156-162 Link Here

(-)vendor/libarchive/dist/cpio/bsdcpio.1 (-1 / +2 lines)
156	.It Fl Fl insecure	156	.It Fl Fl insecure
157	(i and p mode only)	157	(i and p mode only)
158	Disable security checks during extraction or copying.	158	Disable security checks during extraction or copying.
159	This allows extraction via symbolic links and path names containing	159	This allows extraction via symbolic links, absolute paths,
		160	and path names containing
160	.Sq ..	161	.Sq ..
161	in the name.	162	in the name.
162	.It Fl J , Fl Fl xz	163	.It Fl J , Fl Fl xz

Lines 179-184 Link Here

(-)vendor/libarchive/dist/cpio/cpio.c (+2 lines)
179	cpio->extract_flags \|= ARCHIVE_EXTRACT_NO_OVERWRITE_NEWER;	179	cpio->extract_flags \|= ARCHIVE_EXTRACT_NO_OVERWRITE_NEWER;
180	cpio->extract_flags \|= ARCHIVE_EXTRACT_SECURE_SYMLINKS;	180	cpio->extract_flags \|= ARCHIVE_EXTRACT_SECURE_SYMLINKS;
181	cpio->extract_flags \|= ARCHIVE_EXTRACT_SECURE_NODOTDOT;	181	cpio->extract_flags \|= ARCHIVE_EXTRACT_SECURE_NODOTDOT;
		182	cpio->extract_flags \|= ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS;
182	cpio->extract_flags \|= ARCHIVE_EXTRACT_PERM;	183	cpio->extract_flags \|= ARCHIVE_EXTRACT_PERM;
183	cpio->extract_flags \|= ARCHIVE_EXTRACT_FFLAGS;	184	cpio->extract_flags \|= ARCHIVE_EXTRACT_FFLAGS;
184	cpio->extract_flags \|= ARCHIVE_EXTRACT_ACL;	185	cpio->extract_flags \|= ARCHIVE_EXTRACT_ACL;
Lines 264-269 Link Here
264	case OPTION_INSECURE:	265	case OPTION_INSECURE:
265	cpio->extract_flags &= ~ARCHIVE_EXTRACT_SECURE_SYMLINKS;	266	cpio->extract_flags &= ~ARCHIVE_EXTRACT_SECURE_SYMLINKS;
266	cpio->extract_flags &= ~ARCHIVE_EXTRACT_SECURE_NODOTDOT;	267	cpio->extract_flags &= ~ARCHIVE_EXTRACT_SECURE_NODOTDOT;
		268	cpio->extract_flags &= ~ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS;
267	break;	269	break;
268	case 'L': /* GNU cpio */	270	case 'L': /* GNU cpio */
269	cpio->option_follow_links = 1;	271	cpio->option_follow_links = 1;

Lines 562-567 Link Here

(-)vendor/libarchive/dist/libarchive/archive.h (+2 lines)
562	/* Default: Do not use HFS+ compression if it was not compressed. */	562	/* Default: Do not use HFS+ compression if it was not compressed. */
563	/* This has no effect except on Mac OS v10.6 or later. */	563	/* This has no effect except on Mac OS v10.6 or later. */
564	#define ARCHIVE_EXTRACT_HFS_COMPRESSION_FORCED (0x8000)	564	#define ARCHIVE_EXTRACT_HFS_COMPRESSION_FORCED (0x8000)
		565	/* Default: Do not reject entries with absolute paths */
		566	#define ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS (0x10000)
565		567
566	__LA_DECL int archive_read_extract(struct archive , struct archive_entry ,	568	__LA_DECL int archive_read_extract(struct archive , struct archive_entry ,
567	int flags);	569	int flags);

Lines 177-182 Link Here

(-)vendor/libarchive/dist/libarchive/archive_write_disk.3 (+3 lines)
177	Note that paths ending in	177	Note that paths ending in
178	.Pa ..	178	.Pa ..
179	always cause an error, regardless of this flag.	179	always cause an error, regardless of this flag.
		180	.It Cm ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS
		181	Refuse to extract an absolute path.
		182	The default is to not refuse such paths.
180	.It Cm ARCHIVE_EXTRACT_SPARSE	183	.It Cm ARCHIVE_EXTRACT_SPARSE
181	Scan data for blocks of NUL bytes and try to recreate them with holes.	184	Scan data for blocks of NUL bytes and try to recreate them with holes.
182	This results in sparse files, independent of whether the archive format	185	This results in sparse files, independent of whether the archive format




/*
 * Canonicalize the pathname.  In particular, this strips duplicate
 * '/' characters, '.' elements, and trailing '/'.  It also raises an
 * error for an empty path, a trailing '..', (if _SECURE_NODOTDOT is
 * set) any '..' in the path or (if ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS
 * is set) if the path is absolute.
 */
static int
cleanup_pathname(struct archive_write_disk *a)

	cleanup_pathname_win(a);
#endif
	/* Skip leading '/'. */
	if (*src == '/') {
		if (a->flags & ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS) {
			archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC,
			                  "Path is absolute");
			return (ARCHIVE_FAILED);
		}

		separator = *src++;
	}

	/* Scan the pathname one element at a time. */
	for (;;) {




	assert(S_ISDIR(st.st_mode));
	archive_entry_free(ae);

	/*
	 * Without security checks, we should be able to
	 * extract an absolute path.
	 */
	assert((ae = archive_entry_new()) != NULL);
	archive_entry_copy_pathname(ae, "/tmp/libarchive_test-test_write_disk_secure-absolute_path.tmp");
	archive_entry_set_mode(ae, S_IFREG | 0777);
	assert(0 == archive_write_header(a, ae));
	assert(0 == archive_write_finish_entry(a));
	assertFileExists("/tmp/libarchive_test-test_write_disk_secure-absolute_path.tmp");
	assert(0 == unlink("/tmp/libarchive_test-test_write_disk_secure-absolute_path.tmp"));

	/* But with security checks enabled, this should fail. */
	assert(archive_entry_clear(ae) != NULL);
	archive_entry_copy_pathname(ae, "/tmp/libarchive_test-test_write_disk_secure-absolute_path.tmp");
	archive_entry_set_mode(ae, S_IFREG | 0777);
	archive_write_disk_set_options(a, ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS);
	failure("Extracting an absolute path should fail here.");
	assertEqualInt(ARCHIVE_FAILED, archive_write_header(a, ae));
	archive_entry_free(ae);
	assert(0 == archive_write_finish_entry(a));
	assertFileNotExists("/tmp/libarchive_test-test_write_disk_secure-absolute_path.tmp");

	assertEqualInt(ARCHIVE_OK, archive_write_free(a));

	/* Test the entries on disk. */

Return to bug 206386

Lines 2504-2511 Link Here

(-)vendor/libarchive/dist/libarchive/archive_write_disk_posix.c (-3 / +11 lines)
2504	/*	2504	/*
2505	* Canonicalize the pathname. In particular, this strips duplicate	2505	* Canonicalize the pathname. In particular, this strips duplicate
2506	* '/' characters, '.' elements, and trailing '/'. It also raises an	2506	* '/' characters, '.' elements, and trailing '/'. It also raises an
2507	* error for an empty path, a trailing '..' or (if _SECURE_NODOTDOT is	2507	* error for an empty path, a trailing '..', (if _SECURE_NODOTDOT is
2508	* set) any '..' in the path.	2508	* set) any '..' in the path or (if ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS
		2509	* is set) if the path is absolute.
2509	*/	2510	*/
2510	static int	2511	static int
2511	cleanup_pathname(struct archive_write_disk *a)	2512	cleanup_pathname(struct archive_write_disk *a)
Lines 2524-2531 Link Here
2524	cleanup_pathname_win(a);	2525	cleanup_pathname_win(a);
2525	#endif	2526	#endif
2526	/* Skip leading '/'. */	2527	/* Skip leading '/'. */
2527	if (*src == '/')	2528	if (*src == '/') {
		2529	if (a->flags & ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS) {
		2530	archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC,
		2531	"Path is absolute");
		2532	return (ARCHIVE_FAILED);
		2533	}
		2534
2528	separator = *src++;	2535	separator = *src++;
		2536	}
2529		2537
2530	/* Scan the pathname one element at a time. */	2538	/* Scan the pathname one element at a time. */
2531	for (;;) {	2539	for (;;) {

Lines 178-183 Link Here

(-)vendor/libarchive/dist/libarchive/test/test_write_disk_secure.c (+23 lines)
178	assert(S_ISDIR(st.st_mode));	178	assert(S_ISDIR(st.st_mode));
179	archive_entry_free(ae);	179	archive_entry_free(ae);
180		180
		181	/*
		182	* Without security checks, we should be able to
		183	* extract an absolute path.
		184	*/
		185	assert((ae = archive_entry_new()) != NULL);
		186	archive_entry_copy_pathname(ae, "/tmp/libarchive_test-test_write_disk_secure-absolute_path.tmp");
		187	archive_entry_set_mode(ae, S_IFREG \| 0777);
		188	assert(0 == archive_write_header(a, ae));
		189	assert(0 == archive_write_finish_entry(a));
		190	assertFileExists("/tmp/libarchive_test-test_write_disk_secure-absolute_path.tmp");
		191	assert(0 == unlink("/tmp/libarchive_test-test_write_disk_secure-absolute_path.tmp"));
		192
		193	/* But with security checks enabled, this should fail. */
		194	assert(archive_entry_clear(ae) != NULL);
		195	archive_entry_copy_pathname(ae, "/tmp/libarchive_test-test_write_disk_secure-absolute_path.tmp");
		196	archive_entry_set_mode(ae, S_IFREG \| 0777);
		197	archive_write_disk_set_options(a, ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS);
		198	failure("Extracting an absolute path should fail here.");
		199	assertEqualInt(ARCHIVE_FAILED, archive_write_header(a, ae));
		200	archive_entry_free(ae);
		201	assert(0 == archive_write_finish_entry(a));
		202	assertFileNotExists("/tmp/libarchive_test-test_write_disk_secure-absolute_path.tmp");
		203
181	assertEqualInt(ARCHIVE_OK, archive_write_free(a));	204	assertEqualInt(ARCHIVE_OK, archive_write_free(a));
182		205
183	/* Test the entries on disk. */	206	/* Test the entries on disk. */