Merge pull request #36 from woefe/test-relative-symlink

Add testcase and fix for relative, in-path symlink
pear · Feb 4, 2021 · 40283fb · 40283fb
2 parents c3b9457 + 7d8782d
commit 40283fb
Show file tree

Hide file tree

Showing 3 changed files with 43 additions and 1 deletion.
diff --git a/Archive/Tar.php b/Archive/Tar.php
@@ -2124,7 +2124,25 @@ public function _extractList(
                             }
                         }
                     } elseif ($v_header['typeflag'] == "2") {
-                        if (strpos(realpath(dirname($v_header['link'])), realpath($p_path)) !== 0) {
+                        $link_depth = 0;
+                        foreach (explode("/", $v_header['filename']) as $dir) {
+                            if ($dir === "..") {
+                                $link_depth--;
+                            } elseif ($dir !== "" && $dir !== "." ) {
+                                $link_depth++;
+                            }
+                        }
+                        foreach (explode("/", $v_header['link']) as $dir){
+                            if ($link_depth <= 0) {
+                                break;
+                            }
+                            if ($dir === "..") {
+                                $link_depth--;
+                            } elseif ($dir !== "" && $dir !== ".") {
+                                $link_depth++;
+                            }
+                        }
+                        if (strpos($v_header['link'], "/") === 0 or $link_depth <= 0) {
                             $this->_error(
                                  'Out-of-path file extraction {'
                                  . $v_header['filename'] . ' --> ' .

diff --git a/tests/relativesymlink.phpt b/tests/relativesymlink.phpt
@@ -0,0 +1,24 @@
+--TEST--
+test symbolic links
+--SKIPIF--
+--FILE--
+<?php
+require_once dirname(__FILE__) . '/setup.php.inc';
+$me = dirname(__FILE__) . '/testit';
+$tar = new Archive_Tar(dirname(__FILE__) . '/relativesymlink.tar');
+$tar->extract();
+$phpunit->assertNoErrors('after');
+$phpunit->assertFileExists('testme', 'dir');
+$phpunit->assertFileExists('testme/a/file1.txt', 'file1.txt');
+$phpunit->assertFileExists('testme/b/symlink.txt', 'symlink.txt');
+$phpunit->assertTrue(is_link('testme/b/symlink.txt'), 'is link');
+echo 'tests done';
+?>
+--CLEAN--
+<?php
+@unlink('testme/file1.txt');
+@unlink('testme/symlink.txt');
+@rmdir('testme');
+?>
+--EXPECT--
+tests done
diff --git a/tests/relativesymlink.tar b/tests/relativesymlink.tar