composer/iTop
6
0
Fork 0
mirror of https://github.com/Combodo/iTop.git synced 2026-02-13 07:24:13 +01:00
Code Issues Packages Projects Releases Wiki Activity

N°4231 Security hardening

Browse Source
This commit is contained in:
Pierre Goiffon
2021-10-12 11:11:11 +02:00
parent fe3512cb5f
commit 8f0a5fcaf9
10 changed files with 927 additions and 1184 deletions
Download Patch File Download Diff File Expand all files Collapse all files

60
lib/pear/archive_tar/Archive/Tar.php
View File

@@ -2124,32 +2124,6 @@ class Archive_Tar extends PEAR
}
}
} elseif ($v_header['typeflag'] == "2") {
$link_depth = 0;
foreach (explode("/", $v_header['filename']) as $dir) {
if ($dir === "..") {
$link_depth--;
} elseif ($dir !== "" && $dir !== "." ) {
$link_depth++;
}
}
foreach (explode("/", $v_header['link']) as $dir){
if ($link_depth <= 0) {
break;
}
if ($dir === "..") {
$link_depth--;
} elseif ($dir !== "" && $dir !== ".") {
$link_depth++;
}
}
if (strpos($v_header['link'], "/") === 0 or $link_depth <= 0) {
$this->_error(
'Out-of-path file extraction {'
. $v_header['filename'] . ' --> ' .
$v_header['link'] . '}'
);
return false;
}
if (!$p_symlinks) {
$this->_warning('Symbolic links are not allowed. '
. 'Unable to extract {'
@@ -2157,6 +2131,40 @@ class Archive_Tar extends PEAR
);
return false;
}
$absolute_link = FALSE;
$link_depth = 0;
if (strpos($v_header['link'], "/") === 0 || strpos($v_header['link'], ':') !== FALSE) {
$absolute_link = TRUE;
}
else {
$s_filename = preg_replace('@^' . preg_quote($p_path) . '@', "", $v_header['filename']);
$s_linkname = str_replace('\\', '/', $v_header['link']);
foreach (explode("/", $s_filename) as $dir) {
if ($dir === "..") {
$link_depth--;
} elseif ($dir !== "" && $dir !== "." ) {
$link_depth++;
}
}
foreach (explode("/", $s_linkname) as $dir){
if ($link_depth <= 0) {
break;
}
if ($dir === "..") {
$link_depth--;
} elseif ($dir !== "" && $dir !== ".") {
$link_depth++;
}
}
}
if ($absolute_link || $link_depth <= 0) {
$this->_error(
'Out-of-path file extraction {'
. $v_header['filename'] . ' --> ' .
$v_header['link'] . '}'
);
return false;
}
if (@file_exists($v_header['filename'])) {
@unlink($v_header['filename']);
}

23
lib/pear/archive_tar/package.xml
View File

@@ -32,10 +32,10 @@ Also Lzma2 compressed archives are supported with xz extension.</description>
<email>stig@php.net</email>
<active>no</active>
</helper>
<date>2021-02-16</date>
<time>10:49:28</time>
<date>2021-07-20</date>
<time>18:00:00</time>
<version>
<release>1.4.13</release>
<release>1.4.14</release>
<api>1.4.0</api>
</version>
<stability>
@@ -44,7 +44,7 @@ Also Lzma2 compressed archives are supported with xz extension.</description>
</stability>
<license uri="http://www.opensource.org/licenses/bsd-license.php">New BSD License</license>
<notes>
* Fix Bug #27010: Relative symlinks failing (out-of path file extraction) [mrook]
* Properly fix symbolic link path traversal (CVE-2021-32610)
</notes>
<contents>
<dir name="/">
@@ -74,6 +74,21 @@ Also Lzma2 compressed archives are supported with xz extension.</description>
</dependencies>
<phprelease />
<changelog>
<release>
<version>
<release>1.4.13</release>
<api>1.4.0</api>
</version>
<stability>
<release>stable</release>
<api>stable</api>
</stability>
<date>2021-02-16</date>
<license uri="http://www.opensource.org/licenses/bsd-license.php">New BSD License</license>
<notes>
* Fix Bug #27010: Relative symlinks failing (out-of path file extraction) [mrook]
</notes>
</release>
<release>
<version>
<release>1.4.12</release>