rpms/gcab
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Add missing patch

Browse Source
This commit is contained in:
Marc-André Lureau 2015-01-06 12:42:52 +01:00
parent 112040abc1
commit 21e9f6edec
1 changed files with 52 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
0001-Avoid-path-traversal.patch Normal file
View File

@ -0,0 +1,52 @@
From 0ccdf564b6a3e26522a8eb1858f1828844fa3536 Mon Sep 17 00:00:00 2001
From: Stephen Kitt <steve@sk2.org>
Date: Mon, 5 Jan 2015 06:28:00 +0000
Subject: [PATCH] Avoid path traversal
gcab suffers from a directory traversal bug: it doesn't filter leading
slashes from paths in CAB files.
(see https://bugs.debian.org/774580)
The attached patch fixes this, at the cost of ugly paths when faced with
relative traversals. At least all the CAB's contents can be extracted,
without overwriting anything outside the extraction path.
https://bugzilla.gnome.org/show_bug.cgi?id=742331
---
libgcab/gcab-folder.c | 18 +++++++++++++++++-
1 file changed, 17 insertions(+), 1 deletion(-)
diff --git a/libgcab/gcab-folder.c b/libgcab/gcab-folder.c
index a140e2c..9510cf3 100644
--- a/libgcab/gcab-folder.c
+++ b/libgcab/gcab-folder.c
@@ -362,9 +362,25 @@ gcab_folder_extract (GCabFolder *self,
fname[i] = '/';
GFile *gfile = g_file_resolve_relative_path (path, fname);
- GFile *parent = g_file_get_parent (gfile);
g_free (fname);
+ if (!g_file_has_prefix (gfile, path)) {
+ // "Rebase" the file in the given path, to ensure we never escape it
+ char *rawpath = g_file_get_path (gfile);
+ if (rawpath != NULL) {
+ char *newpath = rawpath;
+ while (*newpath != 0 && *newpath == G_DIR_SEPARATOR) {
+ newpath++;
+ }
+ GFile *newgfile = g_file_resolve_relative_path (path, newpath);
+ g_free (rawpath);
+ g_object_unref (gfile);
+ gfile = newgfile;
+ }
+ }
+
+ GFile *parent = g_file_get_parent (gfile);
+
if (!g_file_make_directory_with_parents (parent, cancellable, &my_error)) {
if (g_error_matches (my_error, G_IO_ERROR, G_IO_ERROR_EXISTS))
g_clear_error (&my_error);
--
2.1.0