File 0001-Fix-arbitrary-file-write-vulnerability.patch of Package ant
diff -Naru apache-ant-1.10.2_orig/manual/Tasks/unzip.html apache-ant-1.10.2/manual/Tasks/unzip.html
--- apache-ant-1.10.2_orig/manual/Tasks/unzip.html 2018-02-04 01:52:24.000000000 +0900
+++ apache-ant-1.10.2/manual/Tasks/unzip.html 2022-07-26 20:33:46.259863279 +0900
@@ -126,7 +126,8 @@
Note that this changes the entry's name before applying
include/exclude patterns and before using the nested mappers (if
any). <em>since Ant 1.8.0</em></td>
- <td valign="top" align="center">No, defaults to false</td>
+ <td valign="top" align="center">No, defaults to true since 1.9.12
+ (used to defaukt to false prior to that)</td>
</tr>
<tr>
<td valign="top">scanForUnicodeExtraFields</td>
@@ -138,6 +139,15 @@
zip task page</a></td>
<td align="center" valign="top">No, defaults to true</td>
</tr>
+ <tr>
+ <td valign="top">allowFilesToEscapeDest</td>
+ <td valign="top">Whether to allow the extracted file or directory
+ to be outside of the dest directory.
+ <em>since Ant 1.9.12</em></td>
+ <td valign="top" align="center">No, defaults to false unless
+ stripAbsolutePathSpec is true and the entry's name starts with a leading
+ path spec.</td>
+ </tr>
</table>
<h3>Examples</h3>
<pre>
diff -Naru apache-ant-1.10.2_orig/src/main/org/apache/tools/ant/taskdefs/Expand.java apache-ant-1.10.2/src/main/org/apache/tools/ant/taskdefs/Expand.java
--- apache-ant-1.10.2_orig/src/main/org/apache/tools/ant/taskdefs/Expand.java 2018-02-04 01:52:24.000000000 +0900
+++ apache-ant-1.10.2/src/main/org/apache/tools/ant/taskdefs/Expand.java 2022-07-26 20:39:25.831436977 +0900
@@ -76,8 +76,9 @@
private Union resources = new Union();
private boolean resourcesSpecified = false;
private boolean failOnEmptyArchive = false;
- private boolean stripAbsolutePathSpec = false;
+ private boolean stripAbsolutePathSpec = true;
private boolean scanForUnicodeExtraFields = true;
+ private Boolean allowFilesToEscapeDest = null;
private String encoding;
@@ -259,14 +260,17 @@
boolean isDirectory, FileNameMapper mapper)
throws IOException {
- if (stripAbsolutePathSpec && !entryName.isEmpty()
+ final boolean entryNameStartsWithPathSpec = entryName.length() > 0
&& (entryName.charAt(0) == File.separatorChar
|| entryName.charAt(0) == '/'
- || entryName.charAt(0) == '\\')) {
+ || entryName.charAt(0) == '\\');
+ if (stripAbsolutePathSpec && entryNameStartsWithPathSpec) {
log("stripped absolute path spec from " + entryName,
Project.MSG_VERBOSE);
entryName = entryName.substring(1);
}
+ boolean allowedOutsideOfDest = Boolean.TRUE == getAllowFilesToEscapeDest()
+ || null == getAllowFilesToEscapeDest() && !stripAbsolutePathSpec && entryNameStartsWithPathSpec;
if (!(patternsets == null || patternsets.isEmpty())) {
String name = entryName.replace('/', File.separatorChar)
@@ -332,6 +336,12 @@
mappedNames = new String[] {entryName};
}
File f = fileUtils.resolveFile(dir, mappedNames[0]);
+ if (!allowedOutsideOfDest && !fileUtils.isLeadingPath(dir, f)) {
+ log("skipping " + entryName + " as its target " + f + " is outside of "
+ + dir + ".", Project.MSG_VERBOSE);
+ return;
+ }
+
try {
if (!overwrite && f.exists()
&& f.lastModified() >= entryDate.getTime()) {
@@ -524,4 +534,25 @@
return scanForUnicodeExtraFields;
}
+ /**
+ * Whether to allow the extracted file or directory to be outside of the dest directory.
+ *
+ * @param b the flag
+ * @since Ant 1.9.12
+ */
+ public void setAllowFilesToEscapeDest(boolean b) {
+ allowFilesToEscapeDest = b;
+ }
+
+ /**
+ * Whether to allow the extracted file or directory to be outside of the dest directory.
+ *
+ * @return {@code null} if the flag hasn't been set explicitly,
+ * otherwise the value set by the user.
+ * @since Ant 1.9.12
+ */
+ public Boolean getAllowFilesToEscapeDest() {
+ return allowFilesToEscapeDest;
+ }
+
}
diff -Naru apache-ant-1.10.2_orig/src/tests/antunit/taskdefs/unzip-test.xml apache-ant-1.10.2/src/tests/antunit/taskdefs/unzip-test.xml
--- apache-ant-1.10.2_orig/src/tests/antunit/taskdefs/unzip-test.xml 2018-02-04 01:52:24.000000000 +0900
+++ apache-ant-1.10.2/src/tests/antunit/taskdefs/unzip-test.xml 2022-07-26 20:33:46.259863279 +0900
@@ -24,6 +24,10 @@
<mkdir dir="${output}" />
</target>
+ <target name="tearDown" depends="antunit-base.tearDown">
+ <delete dir="/tmp/testdir"/>
+ </target>
+
<target name="testFailureOnBrokenCentralDirectoryStructure">
<au:expectfailure
expectedmessage="central directory is empty, can't expand corrupt archive.">
@@ -67,4 +71,46 @@
<!-- failed on Windows and other OSes with implicit file locking -->
<au:assertFileDoesntExist file="${input}/test.zip"/>
</target>
+
+ <target name="testEntriesDontEscapeDestByDefault">
+ <mkdir dir="${input}/"/>
+ <mkdir dir="${output}/"/>
+ <unzip src="zip/direscape.zip" dest="${output}"/>
+ <au:assertFileDoesntExist file="${input}/a"/>
+ </target>
+
+ <target name="testEntriesCanEscapeDestIfRequested">
+ <mkdir dir="${input}/"/>
+ <mkdir dir="${output}/"/>
+ <unzip src="zip/direscape.zip" dest="${output}" allowFilesToEscapeDest="true"/>
+ <au:assertFileExists file="${input}/a"/>
+ </target>
+
+ <target name="-can-write-to-tmp?">
+ <mkdir dir="${input}"/>
+ <echo file="${input}/A.java"><![CDATA[
+public class A {
+ public static void main(String[] args) {
+ new java.io.File("/tmp/testdir/").mkdirs();
+ }
+}
+]]></echo>
+ <mkdir dir="${output}"/>
+ <javac srcdir="${input}" destdir="${output}"/>
+ <java classname="A" classpath="${output}"/>
+ <available property="can-write-to-tmp!" file="/tmp/testdir/"/>
+ </target>
+
+ <target name="testEntriesCanEscapeDestViaAbsolutePathIfPermitted"
+ depends="-can-write-to-tmp?" if="can-write-to-tmp!">
+ <unzip src="zip/direscape-absolute.zip" dest="${output}"
+ stripAbsolutePathSpec="false"/>
+ <au:assertFileExists file="/tmp/testdir/a"/>
+ </target>
+
+ <target name="testEntriesDontEscapeDestViaAbsolutePathByDefault"
+ depends="-can-write-to-tmp?" if="can-write-to-tmp!">
+ <unzip src="zip/direscape-absolute.zip" dest="${output}"/>
+ <au:assertFileDoesntExist file="/tmp/testdir/a"/>
+ </target>
</project>
