From cde460582ff389404b5b3ccb59374e9b389de916 Mon Sep 17 00:00:00 2001 From: Michiel Rook Date: Mon, 14 Dec 2020 14:15:41 +0100 Subject: [PATCH] Disallow symlinks to out-of-path filenames --- Archive/Tar.php | 8 ++++++++ tests/out_of_path_fnames.phpt | 18 ++++++++++++++++++ tests/out_of_path_symlink.tar | Bin 0 -> 2561 bytes 3 files changed, 26 insertions(+) create mode 100644 tests/out_of_path_fnames.phpt create mode 100644 tests/out_of_path_symlink.tar diff --git a/Archive/Tar.php b/Archive/Tar.php index f461c1e..76771d5 100644 --- a/Archive/Tar.php +++ b/Archive/Tar.php @@ -2124,6 +2124,14 @@ public function _extractList( } } } elseif ($v_header['typeflag'] == "2") { + if (strpos(realpath(dirname($v_header['link'])), realpath($p_path)) !== 0) { + $this->_error( + 'Out-of-path file extraction {' + . $v_header['filename'] . ' --> ' . + $v_header['link'] . '}' + ); + return false; + } if (!$p_symlinks) { $this->_warning('Symbolic links are not allowed. ' . 'Unable to extract {' diff --git a/tests/out_of_path_fnames.phpt b/tests/out_of_path_fnames.phpt new file mode 100644 index 0000000..a26100c --- /dev/null +++ b/tests/out_of_path_fnames.phpt @@ -0,0 +1,18 @@ +--TEST-- +tests writes to out-of-path filenames +--SKIPIF-- +--FILE-- +extract(); +$phpunit->assertErrors(array(array('package' => 'PEAR_Error', 'message' => "Out-of-path file extraction {symlink --> /tmp/}")), 'after 1'); +$phpunit->assertFileNotExists('symlink/whatever-filename', 'Out-of-path filename should not have succeeded'); +echo 'tests done'; +?> +--CLEAN-- + +--EXPECT-- +tests done diff --git a/tests/out_of_path_symlink.tar b/tests/out_of_path_symlink.tar new file mode 100644 index 0000000000000000000000000000000000000000..fc6854b85036469730db581ef21952b42a0740e8 GIT binary patch literal 2561 zcmeH^O%B2!5QS&$DS83JUxo9KIHsgf4WOjAm)4D%6gO>Rl-W$eOCE2&7e;5z(8HEP z^C+cY+Iimh{KkZmj30QbBv2+K=g@Ex-GywKEPG!=)ILW_9ilD#^+}&kdpfRQ^-WTE z^iNW!Bi_*OPsZY)9j+L1LR0LYF?j7?idI5HSIn?z_2>PY*rc=X@wf=63Y9=5Pzh85 Izer$r2XN>(t^fc4 literal 0 HcmV?d00001