Skip to content

Commit

Permalink
Fix out-of-path check for virtual relative symlink
Browse files Browse the repository at this point in the history 
A symlink is out-of-path if it is an absolute path or goes "up" too many
times. This checks how deep the filename is and whether the link points
more levels up than the depth of the filename.
  • Loading branch information
@woefe @mrook
woefe authored and mrook committed Feb 4, 2021
1 parent dc721bd commit b6da5c3
Showing 1 changed file with 19 additions and 1 deletion.
20 changes: 19 additions & 1 deletion Archive/Tar.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2124,7 +2124,25 @@ public function _extractList(
}
}
} elseif ($v_header['typeflag'] == "2") {
if (strpos(realpath(dirname($v_header['link'])), realpath($p_path)) !== 0) {
$link_depth = 0;
foreach (explode("/", $v_header['filename']) as $dir) {
if ($dir === "..") {
$link_depth--;
} elseif ($dir !== "" && $dir !== "." ) {
$link_depth++;
}
}
foreach (explode("/", $v_header['link']) as $dir){
if ($link_depth <= 0) {
break;
}
if ($dir === "..") {
$link_depth--;
} elseif ($dir !== "" && $dir !== ".") {
$link_depth++;
}
}
if (str_starts_with($v_header['link'], "/") or $link_depth <= 0) {
$this->_error(
'Out-of-path file extraction {'
. $v_header['filename'] . ' --> ' .
Expand Down

0 comments on commit b6da5c3

Please # to comment.