From dc721bd8616e05ea89b7abcff4cf1e3e96963183 Mon Sep 17 00:00:00 2001 From: Wolfgang Popp Date: Tue, 2 Feb 2021 23:05:33 +0100 Subject: [PATCH 1/3] Add testcase for relative and in-path symlink --- tests/relativesymlink.phpt | 24 ++++++++++++++++++++++++ tests/relativesymlink.tar | Bin 0 -> 10240 bytes 2 files changed, 24 insertions(+) create mode 100644 tests/relativesymlink.phpt create mode 100644 tests/relativesymlink.tar diff --git a/tests/relativesymlink.phpt b/tests/relativesymlink.phpt new file mode 100644 index 0000000..68cd4b3 --- /dev/null +++ b/tests/relativesymlink.phpt @@ -0,0 +1,24 @@ +--TEST-- +test symbolic links +--SKIPIF-- +--FILE-- +extract(); +$phpunit->assertNoErrors('after'); +$phpunit->assertFileExists('testme', 'dir'); +$phpunit->assertFileExists('testme/a/file1.txt', 'file1.txt'); +$phpunit->assertFileExists('testme/b/symlink.txt', 'symlink.txt'); +$phpunit->assertTrue(is_link('testme/b/symlink.txt'), 'is link'); +echo 'tests done'; +?> +--CLEAN-- + +--EXPECT-- +tests done diff --git a/tests/relativesymlink.tar b/tests/relativesymlink.tar new file mode 100644 index 0000000000000000000000000000000000000000..9a8867f36bb5ff0e50072eab7887a32982a2487c GIT binary patch literal 10240 zcmeIz-3o&s9EV|#cNJbiX{KFI1B2KXEXTIHU)DYt#I}PR8@!$fN@maBUk2ZWjn75O zrutSXCHhWR_Nk9ku?bx&<&1GA&TDN-Eu>AksoUCzF4TJ|#c}5we;b_W-_1`v@()8{ ztp76Q35W&$wEm^GvHsST)c+gj=U)Hryji!~RTfTR?)MJ$ud0voKi1zB+6h@?SzhN& zyY@Q8w#LsS|MCA{|4RP*8(_@8CI55haB974{*%Tm=HI=%|Lx=cAL?&RVT4pu8=iZN w{D;NdrmTkm0tg_000IagfB*srAb Date: Tue, 2 Feb 2021 23:32:18 +0100 Subject: [PATCH 2/3] Fix out-of-path check for virtual relative symlink A symlink is out-of-path if it is an absolute path or goes "up" too many times. This checks how deep the filename is and whether the link points more levels up than the depth of the filename. --- Archive/Tar.php | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/Archive/Tar.php b/Archive/Tar.php index 8a2d2db..ccbae6d 100644 --- a/Archive/Tar.php +++ b/Archive/Tar.php @@ -2124,7 +2124,25 @@ public function _extractList( } } } elseif ($v_header['typeflag'] == "2") { - if (strpos(realpath(dirname($v_header['link'])), realpath($p_path)) !== 0) { + $link_depth = 0; + foreach (explode("/", $v_header['filename']) as $dir) { + if ($dir === "..") { + $link_depth--; + } elseif ($dir !== "" && $dir !== "." ) { + $link_depth++; + } + } + foreach (explode("/", $v_header['link']) as $dir){ + if ($link_depth <= 0) { + break; + } + if ($dir === "..") { + $link_depth--; + } elseif ($dir !== "" && $dir !== ".") { + $link_depth++; + } + } + if (str_starts_with($v_header['link'], "/") or $link_depth <= 0) { $this->_error( 'Out-of-path file extraction {' . $v_header['filename'] . ' --> ' . From 7d8782d95f74b5889bfaaad43e74086f1918ec2b Mon Sep 17 00:00:00 2001 From: Michiel Rook Date: Thu, 4 Feb 2021 09:51:52 +0100 Subject: [PATCH 3/3] PHP compat fix --- Archive/Tar.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Archive/Tar.php b/Archive/Tar.php index ccbae6d..a8c9501 100644 --- a/Archive/Tar.php +++ b/Archive/Tar.php @@ -2142,7 +2142,7 @@ public function _extractList( $link_depth++; } } - if (str_starts_with($v_header['link'], "/") or $link_depth <= 0) { + if (strpos($v_header['link'], "/") === 0 or $link_depth <= 0) { $this->_error( 'Out-of-path file extraction {' . $v_header['filename'] . ' --> ' .