New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Don't allow hardlinks to overwrite existing files #156

merged 2 commits into from Jun 29, 2018


None yet
1 participant
Copy link

alexcrichton commented Jun 29, 2018

This crate tries to provide the guarantee that unpack_in won't actually overwrite any files outside of the provided directory. Unfortunately though there's a hole in this logic where a hard link can be used to overwrite an arbitrary file on the filesystem.

This commit fixes this issue by using the preexisting logic for extracting paths outside the destination (including symlinks) to validate the link destination of a hard link.

@alexcrichton alexcrichton merged commit 54651a8 into master Jun 29, 2018

2 of 4 checks passed

continuous-integration/travis-ci/pr The Travis CI build is in progress
continuous-integration/travis-ci/push The Travis CI build is in progress
continuous-integration/appveyor/branch AppVeyor build succeeded
continuous-integration/appveyor/pr AppVeyor build succeeded

@alexcrichton alexcrichton deleted the protect-hard-links branch Jun 29, 2018

matthiaskrgr added a commit to matthiaskrgr/cargo-tree that referenced this pull request Aug 30, 2018

update deps.
"cargo audit" was showing a vulnerability in tar 0.4.15, this updates to tar v0.4.16.

error: Vulnerable crates found!
ID:  RUSTSEC-2018-0002
Crate:   tar
Version: 0.4.15
Date:    2018-06-29
URL:     alexcrichton/tar-rs#156
Title:   Links in archives can overwrite any existing file
Solution: upgrade to: >= 0.4.16
error: 1 vulnerability found!
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment