diff options
author | emaste <emaste@FreeBSD.org> | 2015-04-24 15:48:23 +0000 |
---|---|---|
committer | emaste <emaste@FreeBSD.org> | 2015-04-24 15:48:23 +0000 |
commit | b4641924a1b47435c3fb6e9dfea6e4c39bee66ed (patch) | |
tree | c57e565288bb5ed99ed2897129368b04bf85904c /usr.bin | |
parent | e9c3a03985d85c8667363575dea65e86455b717e (diff) | |
download | FreeBSD-src-b4641924a1b47435c3fb6e9dfea6e4c39bee66ed.zip FreeBSD-src-b4641924a1b47435c3fb6e9dfea6e4c39bee66ed.tar.gz |
MFC r281311: ar: Disallow directory traversal
Set ARCHIVE_EXTRACT_SECURE_SYMLINKS and ARCHIVE_EXTRACT_SECURE_NODOTDOT
as in bsdtar to prevent extraction of archive entries whose pathnames
contain .. or whose target directory would be altered by a symlink.
Also disallow absolute pathnames.
We don't currently provide an option to disable this behaviour (as
bsdtar's -P does). It is unlikely to be a problem in practice for ar(1),
but the -P option is not currently used and available if we want to
consider it for this purpose.
Obtained from: ELF tool chain ar, Ticket #474
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
Diffstat (limited to 'usr.bin')
-rw-r--r-- | usr.bin/ar/read.c | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/usr.bin/ar/read.c b/usr.bin/ar/read.c index e595869..98674b7 100644 --- a/usr.bin/ar/read.c +++ b/usr.bin/ar/read.c @@ -186,7 +186,15 @@ read_archive(struct bsdar *bsdar, char mode) if (bsdar->options & AR_V) (void)fprintf(stdout, "x - %s\n", name); - flags = 0; + /* Disallow absolute paths. */ + if (name[0] == '/') { + bsdar_warnc(bsdar, 0, + "Absolute path '%s'", name); + continue; + } + /* Basic path security flags. */ + flags = ARCHIVE_EXTRACT_SECURE_SYMLINKS | \ + ARCHIVE_EXTRACT_SECURE_NODOTDOT; if (bsdar->options & AR_O) flags |= ARCHIVE_EXTRACT_TIME; |