From c4408902ad06828588b0d0d796ea7153f52a1c76 Mon Sep 17 00:00:00 2001
From: Wolfgang Popp <mail@wolfgang-popp.de>
Date: Tue, 2 Feb 2021 23:32:18 +0100
Subject: [PATCH] Fix out-of-path check for virtual relative symlink

A symlink is out-of-path if it is an absolute path or goes "up" too many
times. This checks the amount of ".." vs. normal downward path elements.
If the path has too many ".." it is out-of-path.
---
 Archive/Tar.php | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/Archive/Tar.php b/Archive/Tar.php
index 8a2d2db..f15df92 100644
--- a/Archive/Tar.php
+++ b/Archive/Tar.php
@@ -2124,7 +2124,16 @@ public function _extractList(
                             }
                         }
                     } elseif ($v_header['typeflag'] == "2") {
-                        if (strpos(realpath(dirname($v_header['link'])), realpath($p_path)) !== 0) {
+                        $up = 0;
+                        $down = 0;
+                        foreach (explode("/", $v_header['link']) as $dir){
+                            if ($dir === "..") {
+                                $up++;
+                            } elseif ($dir !== "" && $dir !== ".") {
+                                $down++;
+                            }
+                        }
+                        if (str_starts_with($v_header['link'], "/") or $up > $down) {
                             $this->_error(
                                  'Out-of-path file extraction {'
                                  . $v_header['filename'] . ' --> ' .