Disallow symlinks to out-of-path filenames

pear · Dec 14, 2020 · cde4605 · cde4605 · carnil · Jan 19, 2021
1 parent be2da51
commit cde4605
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 0 deletions.
diff --git a/Archive/Tar.php b/Archive/Tar.php
@@ -2124,6 +2124,14 @@ public function _extractList(
                             }
                         }
                     } elseif ($v_header['typeflag'] == "2") {
+                        if (strpos(realpath(dirname($v_header['link'])), realpath($p_path)) !== 0) {
+                            $this->_error(
+                                 'Out-of-path file extraction {'
+                                 . $v_header['filename'] . ' --> ' .
+                                 $v_header['link'] . '}'
+                            );
+                            return false;
+                        }
                         if (!$p_symlinks) {
                             $this->_warning('Symbolic links are not allowed. '
                                 . 'Unable to extract {'

diff --git a/tests/out_of_path_fnames.phpt b/tests/out_of_path_fnames.phpt
@@ -0,0 +1,18 @@
+--TEST--
+tests writes to out-of-path filenames
+--SKIPIF--
+--FILE--
+<?php
+require_once dirname(__FILE__) . '/setup.php.inc';
+$tar = new Archive_Tar(dirname(__FILE__) . '/out_of_path_symlink.tar');
+$tar->extract();
+$phpunit->assertErrors(array(array('package' => 'PEAR_Error', 'message' => "Out-of-path file extraction {symlink --> /tmp/}")), 'after 1');
+$phpunit->assertFileNotExists('symlink/whatever-filename', 'Out-of-path filename should not have succeeded');
+echo 'tests done';
+?>
+--CLEAN--
+<?php
+@unlink("symlink");
+?>
+--EXPECT--
+tests done
diff --git a/tests/out_of_path_symlink.tar b/tests/out_of_path_symlink.tar