Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Leap:15.2:Update
ark
0001-Pass-the-ARCHIVE_EXTRACT_SECURE_SYMLINKS-f...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0001-Pass-the-ARCHIVE_EXTRACT_SECURE_SYMLINKS-flag-to-lib.patch of Package ark
From 8bf8c5ef07b0ac5e914d752681e470dea403a5bd Mon Sep 17 00:00:00 2001 From: Fabian Vogt <fabian@ritter-vogt.de> Date: Tue, 25 Aug 2020 22:14:37 +0200 Subject: [PATCH] Pass the ARCHIVE_EXTRACT_SECURE_SYMLINKS flag to libarchive There are archive types which allow to first create a symlink and then later on dereference it. If the symlink points outside of the archive, this results in writing outside of the destination directory. With the ARCHIVE_EXTRACT_SECURE_SYMLINKS option set, libarchive avoids this situation by verifying that none of the target path components are symlinks before writing. Remove the commented out code in the method, which would actually misbehave if enabled again. Signed-off-by: Fabian Vogt <fabian@ritter-vogt.de> --- plugins/libarchive/libarchiveplugin.cpp | 18 +++--------------- 1 file changed, 3 insertions(+), 15 deletions(-) diff --git a/plugins/libarchive/libarchiveplugin.cpp b/plugins/libarchive/libarchiveplugin.cpp index 50e81da1..8a0fed21 100644 --- a/plugins/libarchive/libarchiveplugin.cpp +++ b/plugins/libarchive/libarchiveplugin.cpp @@ -509,21 +509,9 @@ void LibarchivePlugin::emitEntryFromArchiveEntry(struct archive_entry *aentry) int LibarchivePlugin::extractionFlags() const { - int result = ARCHIVE_EXTRACT_TIME; - result |= ARCHIVE_EXTRACT_SECURE_NODOTDOT; - - // TODO: Don't use arksettings here - /*if ( ArkSettings::preservePerms() ) - { - result &= ARCHIVE_EXTRACT_PERM; - } - - if ( !ArkSettings::extractOverwrite() ) - { - result &= ARCHIVE_EXTRACT_NO_OVERWRITE; - }*/ - - return result; + return ARCHIVE_EXTRACT_TIME + | ARCHIVE_EXTRACT_SECURE_NODOTDOT + | ARCHIVE_EXTRACT_SECURE_SYMLINKS; } void LibarchivePlugin::copyData(const QString& filename, struct archive *dest, bool partialprogress) -- 2.25.1
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor