Overview

File 0001-Treat-absolute-paths-as-relative-paths-during-extrac.patch of Package ark.18780

From 805c4cc54140c16d2b8424449927d9f7c094aad0 Mon Sep 17 00:00:00 2001
From: Fabian Vogt <fabian@ritter-vogt.de>
Date: Thu, 7 Nov 2024 14:47:26 +0100
Subject: [PATCH] Treat absolute paths as relative paths during extraction

Tell libarchive to use the path for extraction that Ark uses internally.
In addition, set the ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS flag to avoid
that absolute paths are used by accident.

(cherry picked from commit cc9ea9e89c1c679d398809e94f1217b1f73c4b48)
---
 autotests/kerfuffle/data/absolutepath.tar.xz | Bin 0 -> 280 bytes
 autotests/kerfuffle/extracttest.cpp          |   8 ++++++++
 plugins/libarchive/libarchiveplugin.cpp      |  10 +++++++++-
 3 files changed, 17 insertions(+), 1 deletion(-)
 create mode 100644 autotests/kerfuffle/data/absolutepath.tar.xz

diff --git a/autotests/kerfuffle/extracttest.cpp b/autotests/kerfuffle/extracttest.cpp
index 4f8c6c1..5662a87 100644
--- a/autotests/kerfuffle/extracttest.cpp
+++ b/autotests/kerfuffle/extracttest.cpp
@@ -398,6 +398,14 @@ void ExtractTest::testExtraction_data()
             << optionsPreservePaths
             << 6;
 
+    // Test tarball with leading /, i.e. here /tmp/testfile instead of tmp/testfile
+    archivePath = QFINDTESTDATA("data/absolutepath.tar.xz");
+    QTest::newRow("extract all entries from a tar archive with absolute path")
+            << archivePath
+            << QVector<Archive::Entry *>()
+            << optionsPreservePaths
+            << 2;
+
     archivePath = QFINDTESTDATA("data/hello-1.0-x86_64.AppImage");
     QTest::newRow("extract all entries from an AppImage with path")
             << archivePath
diff --git a/plugins/libarchive/libarchiveplugin.cpp b/plugins/libarchive/libarchiveplugin.cpp
index bf5373e..b49c12e 100644
--- a/plugins/libarchive/libarchiveplugin.cpp
+++ b/plugins/libarchive/libarchiveplugin.cpp
@@ -307,6 +307,11 @@ bool LibarchivePlugin::extractFiles(const QVector<Archive::Entry*> &files, const
             entryName.remove(0, 1);
         }
 
+        // If this ends up empty (e.g. from // or ./), convert to ".".
+        if (entryName.isEmpty()) {
+            entryName = QStringLiteral(".");
+        }
+
         // Should the entry be extracted?
         if (extractAll ||
             remainingFiles.contains(entryName) ||
@@ -321,10 +326,12 @@ bool LibarchivePlugin::extractFiles(const QVector<Archive::Entry*> &files, const
                 continue;
             }
 
+            // Make sure libarchive uses the same path as we expect, based on transformations and renames,
+            qCDebug(ARK) << "setting path to " << entryName;
+            archive_entry_copy_pathname(entry, QFile::encodeName(entryName).constData());
             // entryFI is the fileinfo pointing to where the file will be
             // written from the archive.
             QFileInfo entryFI(entryName);
-            //qCDebug(ARK) << "setting path to " << archive_entry_pathname( entry );
 
             if (isSingleFile && fileBeingRenamed.isEmpty()) {
                 // Rename extracted file from libarchive-internal "data" name to the archive uncompressed name.
@@ -568,6 +575,7 @@ void LibarchivePlugin::emitEntryFromArchiveEntry(struct archive_entry *aentry, b
 int LibarchivePlugin::extractionFlags() const
 {
     return ARCHIVE_EXTRACT_TIME
+           | ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS
            | ARCHIVE_EXTRACT_SECURE_NODOTDOT
            | ARCHIVE_EXTRACT_SECURE_SYMLINKS;
 }
-- 
2.48.1
openSUSE Build Service is sponsored by
Places