Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:nxtg_octopus:CentOS
ant
0001-Fix-arbitrary-file-write-vulnerability.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0001-Fix-arbitrary-file-write-vulnerability.patch of Package ant
diff -Naru apache-ant-1.10.2_orig/manual/Tasks/unzip.html apache-ant-1.10.2/manual/Tasks/unzip.html --- apache-ant-1.10.2_orig/manual/Tasks/unzip.html 2018-02-04 01:52:24.000000000 +0900 +++ apache-ant-1.10.2/manual/Tasks/unzip.html 2022-07-26 20:33:46.259863279 +0900 @@ -126,7 +126,8 @@ Note that this changes the entry's name before applying include/exclude patterns and before using the nested mappers (if any). <em>since Ant 1.8.0</em></td> - <td valign="top" align="center">No, defaults to false</td> + <td valign="top" align="center">No, defaults to true since 1.9.12 + (used to defaukt to false prior to that)</td> </tr> <tr> <td valign="top">scanForUnicodeExtraFields</td> @@ -138,6 +139,15 @@ zip task page</a></td> <td align="center" valign="top">No, defaults to true</td> </tr> + <tr> + <td valign="top">allowFilesToEscapeDest</td> + <td valign="top">Whether to allow the extracted file or directory + to be outside of the dest directory. + <em>since Ant 1.9.12</em></td> + <td valign="top" align="center">No, defaults to false unless + stripAbsolutePathSpec is true and the entry's name starts with a leading + path spec.</td> + </tr> </table> <h3>Examples</h3> <pre> diff -Naru apache-ant-1.10.2_orig/src/main/org/apache/tools/ant/taskdefs/Expand.java apache-ant-1.10.2/src/main/org/apache/tools/ant/taskdefs/Expand.java --- apache-ant-1.10.2_orig/src/main/org/apache/tools/ant/taskdefs/Expand.java 2018-02-04 01:52:24.000000000 +0900 +++ apache-ant-1.10.2/src/main/org/apache/tools/ant/taskdefs/Expand.java 2022-07-26 20:39:25.831436977 +0900 @@ -76,8 +76,9 @@ private Union resources = new Union(); private boolean resourcesSpecified = false; private boolean failOnEmptyArchive = false; - private boolean stripAbsolutePathSpec = false; + private boolean stripAbsolutePathSpec = true; private boolean scanForUnicodeExtraFields = true; + private Boolean allowFilesToEscapeDest = null; private String encoding; @@ -259,14 +260,17 @@ boolean isDirectory, FileNameMapper mapper) throws IOException { - if (stripAbsolutePathSpec && !entryName.isEmpty() + final boolean entryNameStartsWithPathSpec = entryName.length() > 0 && (entryName.charAt(0) == File.separatorChar || entryName.charAt(0) == '/' - || entryName.charAt(0) == '\\')) { + || entryName.charAt(0) == '\\'); + if (stripAbsolutePathSpec && entryNameStartsWithPathSpec) { log("stripped absolute path spec from " + entryName, Project.MSG_VERBOSE); entryName = entryName.substring(1); } + boolean allowedOutsideOfDest = Boolean.TRUE == getAllowFilesToEscapeDest() + || null == getAllowFilesToEscapeDest() && !stripAbsolutePathSpec && entryNameStartsWithPathSpec; if (!(patternsets == null || patternsets.isEmpty())) { String name = entryName.replace('/', File.separatorChar) @@ -332,6 +336,12 @@ mappedNames = new String[] {entryName}; } File f = fileUtils.resolveFile(dir, mappedNames[0]); + if (!allowedOutsideOfDest && !fileUtils.isLeadingPath(dir, f)) { + log("skipping " + entryName + " as its target " + f + " is outside of " + + dir + ".", Project.MSG_VERBOSE); + return; + } + try { if (!overwrite && f.exists() && f.lastModified() >= entryDate.getTime()) { @@ -524,4 +534,25 @@ return scanForUnicodeExtraFields; } + /** + * Whether to allow the extracted file or directory to be outside of the dest directory. + * + * @param b the flag + * @since Ant 1.9.12 + */ + public void setAllowFilesToEscapeDest(boolean b) { + allowFilesToEscapeDest = b; + } + + /** + * Whether to allow the extracted file or directory to be outside of the dest directory. + * + * @return {@code null} if the flag hasn't been set explicitly, + * otherwise the value set by the user. + * @since Ant 1.9.12 + */ + public Boolean getAllowFilesToEscapeDest() { + return allowFilesToEscapeDest; + } + } diff -Naru apache-ant-1.10.2_orig/src/tests/antunit/taskdefs/unzip-test.xml apache-ant-1.10.2/src/tests/antunit/taskdefs/unzip-test.xml --- apache-ant-1.10.2_orig/src/tests/antunit/taskdefs/unzip-test.xml 2018-02-04 01:52:24.000000000 +0900 +++ apache-ant-1.10.2/src/tests/antunit/taskdefs/unzip-test.xml 2022-07-26 20:33:46.259863279 +0900 @@ -24,6 +24,10 @@ <mkdir dir="${output}" /> </target> + <target name="tearDown" depends="antunit-base.tearDown"> + <delete dir="/tmp/testdir"/> + </target> + <target name="testFailureOnBrokenCentralDirectoryStructure"> <au:expectfailure expectedmessage="central directory is empty, can't expand corrupt archive."> @@ -67,4 +71,46 @@ <!-- failed on Windows and other OSes with implicit file locking --> <au:assertFileDoesntExist file="${input}/test.zip"/> </target> + + <target name="testEntriesDontEscapeDestByDefault"> + <mkdir dir="${input}/"/> + <mkdir dir="${output}/"/> + <unzip src="zip/direscape.zip" dest="${output}"/> + <au:assertFileDoesntExist file="${input}/a"/> + </target> + + <target name="testEntriesCanEscapeDestIfRequested"> + <mkdir dir="${input}/"/> + <mkdir dir="${output}/"/> + <unzip src="zip/direscape.zip" dest="${output}" allowFilesToEscapeDest="true"/> + <au:assertFileExists file="${input}/a"/> + </target> + + <target name="-can-write-to-tmp?"> + <mkdir dir="${input}"/> + <echo file="${input}/A.java"><![CDATA[ +public class A { + public static void main(String[] args) { + new java.io.File("/tmp/testdir/").mkdirs(); + } +} +]]></echo> + <mkdir dir="${output}"/> + <javac srcdir="${input}" destdir="${output}"/> + <java classname="A" classpath="${output}"/> + <available property="can-write-to-tmp!" file="/tmp/testdir/"/> + </target> + + <target name="testEntriesCanEscapeDestViaAbsolutePathIfPermitted" + depends="-can-write-to-tmp?" if="can-write-to-tmp!"> + <unzip src="zip/direscape-absolute.zip" dest="${output}" + stripAbsolutePathSpec="false"/> + <au:assertFileExists file="/tmp/testdir/a"/> + </target> + + <target name="testEntriesDontEscapeDestViaAbsolutePathByDefault" + depends="-can-write-to-tmp?" if="can-write-to-tmp!"> + <unzip src="zip/direscape-absolute.zip" dest="${output}"/> + <au:assertFileDoesntExist file="/tmp/testdir/a"/> + </target> </project>
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor