Fix out-of-path check for virtual relative symlink

A symlink is out-of-path if it is an absolute path or goes "up" too many times. This checks how deep the filename is and whether the link points more levels up than the depth of the filename.
pear · Feb 2, 2021 · b558c47 · b558c47
1 parent 6d53194
commit b558c47
Showing 1 changed file with 19 additions and 1 deletion.
diff --git a/Archive/Tar.php b/Archive/Tar.php
@@ -2124,7 +2124,25 @@ public function _extractList(
                             }
                         }
                     } elseif ($v_header['typeflag'] == "2") {
-                        if (strpos(realpath(dirname($v_header['link'])), realpath($p_path)) !== 0) {
+                        $link_depth = 0;
+                        foreach (explode("/", $v_header['filename']) as $dir) {
+                            if ($dir === "..") {
+                                $link_depth--;
+                            } elseif ($dir !== "" && $dir !== "." ) {
+                                $link_depth++;
+                            }
+                        }
+                        foreach (explode("/", $v_header['link']) as $dir){
+                            if ($link_depth <= 0) {
+                                break;
+                            }
+                            if ($dir === "..") {
+                                $link_depth--;
+                            } elseif ($dir !== "" && $dir !== ".") {
+                                $link_depth++;
+                            }
+                        }
+                        if (str_starts_with($v_header['link'], "/") or $link_depth <= 0) {
                             $this->_error(
                                  'Out-of-path file extraction {'
                                  . $v_header['filename'] . ' --> ' .