Skip to content

Commit

Permalink
Bump Archive_Tar
Browse files Browse the repository at this point in the history 
Signed-off-by: Lukas Reschke <[email protected]>
  • Loading branch information
@LukasReschke
LukasReschke committed Sep 7, 2021
1 parent 1f66cef commit b69b125
Show file tree
Hide file tree
Showing 6 changed files with 67 additions and 44 deletions.
12 changes: 6 additions & 6 deletions composer.lock
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

12 changes: 6 additions & 6 deletions composer/installed.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2163,17 +2163,17 @@
},
{
"name": "pear/archive_tar",
"version": "1.4.13",
"version_normalized": "1.4.13.0",
"version": "1.4.14",
"version_normalized": "1.4.14.0",
"source": {
"type": "git",
"url": "https://github.com/pear/Archive_Tar.git",
"reference": "2b87b41178cc6d4ad3cba678a46a1cae49786011"
"reference": "4d761c5334c790e45ef3245f0864b8955c562caa"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/pear/Archive_Tar/zipball/2b87b41178cc6d4ad3cba678a46a1cae49786011",
"reference": "2b87b41178cc6d4ad3cba678a46a1cae49786011",
"url": "https://api.github.com/repos/pear/Archive_Tar/zipball/4d761c5334c790e45ef3245f0864b8955c562caa",
"reference": "4d761c5334c790e45ef3245f0864b8955c562caa",
"shasum": ""
},
"require": {
Expand All @@ -2188,7 +2188,7 @@
"ext-xz": "Lzma2 compression support.",
"ext-zlib": "Gzip compression support."
},
"time": "2021-02-16T10:50:50+00:00",
"time": "2021-07-20T13:53:39+00:00",
"type": "library",
"extra": {
"branch-alias": {
Expand Down
10 changes: 5 additions & 5 deletions composer/installed.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
'type' => 'library',
'install_path' => __DIR__ . '/../',
'aliases' => array(),
'reference' => 'd1bf85a7c711a101a13f65443216d76426e804fc',
'reference' => '1f66cef37b83a89a902e595e79e05c4eafbc855e',
'name' => 'nextcloud/3rdparty',
'dev' => false,
),
Expand Down Expand Up @@ -268,7 +268,7 @@
'type' => 'library',
'install_path' => __DIR__ . '/../',
'aliases' => array(),
'reference' => 'd1bf85a7c711a101a13f65443216d76426e804fc',
'reference' => '1f66cef37b83a89a902e595e79e05c4eafbc855e',
'dev_requirement' => false,
),
'nextcloud/lognormalizer' => array(
Expand Down Expand Up @@ -305,12 +305,12 @@
'dev_requirement' => false,
),
'pear/archive_tar' => array(
'pretty_version' => '1.4.13',
'version' => '1.4.13.0',
'pretty_version' => '1.4.14',
'version' => '1.4.14.0',
'type' => 'library',
'install_path' => __DIR__ . '/../pear/archive_tar',
'aliases' => array(),
'reference' => '2b87b41178cc6d4ad3cba678a46a1cae49786011',
'reference' => '4d761c5334c790e45ef3245f0864b8955c562caa',
'dev_requirement' => false,
),
'pear/console_getopt' => array(
Expand Down
4 changes: 2 additions & 2 deletions composer/package-versions-deprecated/src/PackageVersions/Versions.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,7 @@ final class Versions
'nextcloud/lognormalizer' => 'v1.0.0@87445d69225c247aaff64643b1fc83c6d6df741f',
'nikic/php-parser' => 'v4.10.5@4432ba399e47c66624bc73c8c0f811e5c109576f',
'opis/closure' => '3.6.2@06e2ebd25f2869e54a306dda991f7db58066f7f6',
'pear/archive_tar' => '1.4.13@2b87b41178cc6d4ad3cba678a46a1cae49786011',
'pear/archive_tar' => '1.4.14@4d761c5334c790e45ef3245f0864b8955c562caa',
'pear/console_getopt' => 'v1.4.3@a41f8d3e668987609178c7c4a9fe48fecac53fa0',
'pear/pear-core-minimal' => 'v1.10.10@625a3c429d9b2c1546438679074cac1b089116a7',
'pear/pear_exception' => 'v1.0.2@b14fbe2ddb0b9f94f5b24cf08783d599f776fff0',
Expand Down Expand Up @@ -117,7 +117,7 @@ final class Versions
'web-auth/cose-lib' => 'v3.3.9@ed172d2dc1a6b87b5c644c07c118cd30c1b3819b',
'web-auth/metadata-service' => 'v3.3.9@8488d3a832a38cc81c670fce05de1e515c6e64b1',
'web-auth/webauthn-lib' => 'v3.3.9@04b98ee3d39cb79dad68a7c15c297c085bf66bfe',
'nextcloud/3rdparty' => 'dev-master@d1bf85a7c711a101a13f65443216d76426e804fc',
'nextcloud/3rdparty' => 'dev-master@1f66cef37b83a89a902e595e79e05c4eafbc855e',
);

private function __construct()
Expand Down
50 changes: 29 additions & 21 deletions pear/archive_tar/Archive/Tar.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2124,39 +2124,47 @@ public function _extractList(
}
}
} elseif ($v_header['typeflag'] == "2") {
if (!$p_symlinks) {
$this->_warning('Symbolic links are not allowed. '
. 'Unable to extract {'
. $v_header['filename'] . '}'
);
return false;
}
$absolute_link = FALSE;
$link_depth = 0;
foreach (explode("/", $v_header['filename']) as $dir) {
if ($dir === "..") {
$link_depth--;
} elseif ($dir !== "" && $dir !== "." ) {
$link_depth++;
}
if (strpos($v_header['link'], "/") === 0 || strpos($v_header['link'], ':') !== FALSE) {
$absolute_link = TRUE;
}
foreach (explode("/", $v_header['link']) as $dir){
if ($link_depth <= 0) {
break;
else {
$s_filename = preg_replace('@^' . preg_quote($p_path) . '@', "", $v_header['filename']);
$s_linkname = str_replace('\\', '/', $v_header['link']);
foreach (explode("/", $s_filename) as $dir) {
if ($dir === "..") {
$link_depth--;
} elseif ($dir !== "" && $dir !== "." ) {
$link_depth++;
}
}
if ($dir === "..") {
$link_depth--;
} elseif ($dir !== "" && $dir !== ".") {
$link_depth++;
foreach (explode("/", $s_linkname) as $dir){
if ($link_depth <= 0) {
break;
}
if ($dir === "..") {
$link_depth--;
} elseif ($dir !== "" && $dir !== ".") {
$link_depth++;
}
}
}
if (strpos($v_header['link'], "/") === 0 or $link_depth <= 0) {
if ($absolute_link || $link_depth <= 0) {
$this->_error(
'Out-of-path file extraction {'
. $v_header['filename'] . ' --> ' .
$v_header['link'] . '}'
);
return false;
}
if (!$p_symlinks) {
$this->_warning('Symbolic links are not allowed. '
. 'Unable to extract {'
. $v_header['filename'] . '}'
);
return false;
}
if (@file_exists($v_header['filename'])) {
@unlink($v_header['filename']);
}
Expand Down
23 changes: 19 additions & 4 deletions pear/archive_tar/package.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,10 +32,10 @@ Also Lzma2 compressed archives are supported with xz extension.</description>
<email>[email protected]</email>
<active>no</active>
</helper>
<date>2021-02-16</date>
<time>10:49:28</time>
<date>2021-07-20</date>
<time>18:00:00</time>
<version>
<release>1.4.13</release>
<release>1.4.14</release>
<api>1.4.0</api>
</version>
<stability>
Expand All @@ -44,7 +44,7 @@ Also Lzma2 compressed archives are supported with xz extension.</description>
</stability>
<license uri="http://www.opensource.org/licenses/bsd-license.php">New BSD License</license>
<notes>
* Fix Bug #27010: Relative symlinks failing (out-of path file extraction) [mrook]
* Properly fix symbolic link path traversal (CVE-2021-32610)
</notes>
<contents>
<dir name="/">
Expand Down Expand Up @@ -74,6 +74,21 @@ Also Lzma2 compressed archives are supported with xz extension.</description>
</dependencies>
<phprelease />
<changelog>
<release>
<version>
<release>1.4.13</release>
<api>1.4.0</api>
</version>
<stability>
<release>stable</release>
<api>stable</api>
</stability>
<date>2021-02-16</date>
<license uri="http://www.opensource.org/licenses/bsd-license.php">New BSD License</license>
<notes>
* Fix Bug #27010: Relative symlinks failing (out-of path file extraction) [mrook]
</notes>
</release>
<release>
<version>
<release>1.4.12</release>
Expand Down

0 comments on commit b69b125

Please sign in to comment.