Fix out-of-path check for virtual relative symlink

A symlink is out-of-path if it is an absolute path or goes "up" too many times. This checks the amount of ".." vs. normal downward path elements. If the path has too many ".." it is out-of-path.
pear · Feb 2, 2021 · c440890 · c440890
1 parent 6d53194
commit c440890
Showing 1 changed file with 10 additions and 1 deletion.
diff --git a/Archive/Tar.php b/Archive/Tar.php
@@ -2124,7 +2124,16 @@ public function _extractList(
                             }
                         }
                     } elseif ($v_header['typeflag'] == "2") {
-                        if (strpos(realpath(dirname($v_header['link'])), realpath($p_path)) !== 0) {
+                        $up = 0;
+                        $down = 0;
+                        foreach (explode("/", $v_header['link']) as $dir){
+                            if ($dir === "..") {
+                                $up++;
+                            } elseif ($dir !== "" && $dir !== ".") {
+                                $down++;
+                            }
+                        }
+                        if (str_starts_with($v_header['link'], "/") or $up > $down) {
                             $this->_error(
                                  'Out-of-path file extraction {'
                                  . $v_header['filename'] . ' --> ' .