composer/iTop
6
0
Fork 0
mirror of https://github.com/Combodo/iTop.git synced 2026-04-23 18:48:51 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/support/2.7' into develop

Browse Source 
# Conflicts:
#	application/transaction.class.inc.php
#	application/ui.extkeywidget.class.inc.php
#	composer.json
#	composer.lock
#	js/utils.js
#	lib/composer/InstalledVersions.php
#	lib/composer/installed.json
#	lib/composer/installed.php
#	lib/pear/archive_tar/Archive/Tar.php
#	lib/pear/archive_tar/package.xml
#	setup/wizardsteps.class.inc.php
#	sources/Controller/AjaxRenderController.php
This commit is contained in:
Pierre Goiffon
2021-10-18 14:44:34 +02:00
parent 1d28bbe3f4 8ea5be4ead
commit 347cbca5cf
20 changed files with 468 additions and 350 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
lib/pear/archive_tar/.github/workflows/build.yml vendored
View File

@@ -8,7 +8,7 @@ jobs:
test:
runs-on: ${{ matrix.operating-system }}
strategy:
fail-fast: true
fail-fast: false
matrix:
operating-system: [ ubuntu-latest ]
php: [ '5.4', '5.5', '5.6', '7.0', '7.1', '7.2', '7.3', '7.4', '8.0' ]
@@ -37,5 +37,4 @@ jobs:
run: |
sudo pear install -f package.xml
pear version
pear run-tests -qr tests/ || cat run-tests.log
for i in `find tests/ -name '*.out'`; do echo "$i"; cat "$i"; done
pear run-tests -qr tests/ || { cat run-tests.log; for i in `find tests/ -name '*.out'`; do echo "$i"; cat "$i"; done; exit 1; }

44
lib/pear/archive_tar/Archive/Tar.php
View File

@@ -257,7 +257,7 @@ class Archive_Tar extends PEAR
{
$this->_close();
// ----- Look for a local copy to delete
if ($this->_temp_tarname != '') {
if ($this->_temp_tarname != '' && (bool) preg_match('/^tar[[:alnum:]]*\.tmp$/', $this->_temp_tarname)) {
@unlink($this->_temp_tarname);
}
}
@@ -2124,14 +2124,6 @@ class Archive_Tar extends PEAR
}
}
} elseif ($v_header['typeflag'] == "2") {
if (strpos(realpath(dirname($v_header['link'])), realpath($p_path)) !== 0) {
$this->_error(
'Out-of-path file extraction {'
. $v_header['filename'] . ' --> ' .
$v_header['link'] . '}'
);
return false;
}
if (!$p_symlinks) {
$this->_warning('Symbolic links are not allowed. '
. 'Unable to extract {'
@@ -2139,6 +2131,40 @@ class Archive_Tar extends PEAR
);
return false;
}
$absolute_link = FALSE;
$link_depth = 0;
if (strpos($v_header['link'], "/") === 0 || strpos($v_header['link'], ':') !== FALSE) {
$absolute_link = TRUE;
}
else {
$s_filename = preg_replace('@^' . preg_quote($p_path) . '@', "", $v_header['filename']);
$s_linkname = str_replace('\\', '/', $v_header['link']);
foreach (explode("/", $s_filename) as $dir) {
if ($dir === "..") {
$link_depth--;
} elseif ($dir !== "" && $dir !== "." ) {
$link_depth++;
}
}
foreach (explode("/", $s_linkname) as $dir){
if ($link_depth <= 0) {
break;
}
if ($dir === "..") {
$link_depth--;
} elseif ($dir !== "" && $dir !== ".") {
$link_depth++;
}
}
}
if ($absolute_link || $link_depth <= 0) {
$this->_error(
'Out-of-path file extraction {'
. $v_header['filename'] . ' --> ' .
$v_header['link'] . '}'
);
return false;
}
if (@file_exists($v_header['filename'])) {
@unlink($v_header['filename']);
}

2
lib/pear/archive_tar/README.md
View File

@@ -1,7 +1,7 @@
Archive_Tar
==========
[![Build Status](https://secure.travis-ci.org/pear/Archive_Tar.png?branch=master)](https://travis-ci.org/pear/Archive_Tar)
![.github/workflows/build.yml](https://github.com/pear/Archive_Tar/workflows/.github/workflows/build.yml/badge.svg)
This package provides handling of tar files in PHP.
It supports creating, listing, extracting and adding to tar files.

38
lib/pear/archive_tar/package.xml
View File

@@ -32,10 +32,10 @@ Also Lzma2 compressed archives are supported with xz extension.</description>
<email>stig@php.net</email>
<active>no</active>
</helper>
<date>2021-01-18</date>
<time>19:29:56</time>
<date>2021-07-20</date>
<time>18:00:00</time>
<version>
<release>1.4.12</release>
<release>1.4.14</release>
<api>1.4.0</api>
</version>
<stability>
@@ -44,7 +44,7 @@ Also Lzma2 compressed archives are supported with xz extension.</description>
</stability>
<license uri="http://www.opensource.org/licenses/bsd-license.php">New BSD License</license>
<notes>
* Fix Bug #27008: Symlink out-of-path write vulnerability (CVE-2020-36193) [mrook]
* Properly fix symbolic link path traversal (CVE-2021-32610)
</notes>
<contents>
<dir name="/">
@@ -74,6 +74,36 @@ Also Lzma2 compressed archives are supported with xz extension.</description>
</dependencies>
<phprelease />
<changelog>
<release>
<version>
<release>1.4.13</release>
<api>1.4.0</api>
</version>
<stability>
<release>stable</release>
<api>stable</api>
</stability>
<date>2021-02-16</date>
<license uri="http://www.opensource.org/licenses/bsd-license.php">New BSD License</license>
<notes>
* Fix Bug #27010: Relative symlinks failing (out-of path file extraction) [mrook]
</notes>
</release>
<release>
<version>
<release>1.4.12</release>
<api>1.4.0</api>
</version>
<stability>
<release>stable</release>
<api>stable</api>
</stability>
<date>2021-01-18</date>
<license uri="http://www.opensource.org/licenses/bsd-license.php">New BSD License</license>
<notes>
* Fix Bug #27008: Symlink out-of-path write vulnerability (CVE-2020-36193) [mrook]
</notes>
</release>
<release>
<version>
<release>1.4.11</release>