unzip: prevent attacks via malicious filenames
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
This commit is contained in:
Denys Vlasenko
@@ -596,14 +596,18 @@ int unzip_main(int argc, char **argv)
|
||||
/* Skip extra header bytes */
|
||||
unzip_skip(zip_header.formatted.extra_len);
|
||||
|
||||
/* Guard against "/abspath", "/../" and similar attacks */
|
||||
overlapping_strcpy(dst_fn, strip_unsafe_prefix(dst_fn));
|
||||
|
||||
/* Filter zip entries */
|
||||
if (find_list_entry(zreject, dst_fn)
|
||||
|| (zaccept && !find_list_entry(zaccept, dst_fn))
|
||||
) { /* Skip entry */
|
||||
i = 'n';
|
||||
|
||||
} else { /* Extract entry */
|
||||
if (listing) { /* List entry */
|
||||
} else {
|
||||
if (listing) {
|
||||
/* List entry */
|
||||
unsigned dostime = zip_header.formatted.modtime | (zip_header.formatted.moddate << 16);
|
||||
if (!verbose) {
|
||||
// " Length Date Time Name\n"
|
||||
@@ -639,9 +643,11 @@ int unzip_main(int argc, char **argv)
|
||||
total_size += zip_header.formatted.cmpsize;
|
||||
}
|
||||
i = 'n';
|
||||
} else if (dst_fd == STDOUT_FILENO) { /* Extracting to STDOUT */
|
||||
} else if (dst_fd == STDOUT_FILENO) {
|
||||
/* Extracting to STDOUT */
|
||||
i = -1;
|
||||
} else if (last_char_is(dst_fn, '/')) { /* Extract directory */
|
||||
} else if (last_char_is(dst_fn, '/')) {
|
||||
/* Extract directory */
|
||||
if (stat(dst_fn, &stat_buf) == -1) {
|
||||
if (errno != ENOENT) {
|
||||
bb_perror_msg_and_die("can't stat '%s'", dst_fn);
|
||||
@@ -655,22 +661,27 @@ int unzip_main(int argc, char **argv)
|
||||
}
|
||||
} else {
|
||||
if (!S_ISDIR(stat_buf.st_mode)) {
|
||||
bb_error_msg_and_die("'%s' exists but is not directory", dst_fn);
|
||||
bb_error_msg_and_die("'%s' exists but is not a %s",
|
||||
dst_fn, "directory");
|
||||
}
|
||||
}
|
||||
i = 'n';
|
||||
|
||||
} else { /* Extract file */
|
||||
} else {
|
||||
/* Extract file */
|
||||
check_file:
|
||||
if (stat(dst_fn, &stat_buf) == -1) { /* File does not exist */
|
||||
if (stat(dst_fn, &stat_buf) == -1) {
|
||||
/* File does not exist */
|
||||
if (errno != ENOENT) {
|
||||
bb_perror_msg_and_die("can't stat '%s'", dst_fn);
|
||||
}
|
||||
i = 'y';
|
||||
} else { /* File already exists */
|
||||
} else {
|
||||
/* File already exists */
|
||||
if (overwrite == O_NEVER) {
|
||||
i = 'n';
|
||||
} else if (S_ISREG(stat_buf.st_mode)) { /* File is regular file */
|
||||
} else if (S_ISREG(stat_buf.st_mode)) {
|
||||
/* File is regular file */
|
||||
if (overwrite == O_ALWAYS) {
|
||||
i = 'y';
|
||||
} else {
|
||||
@@ -678,8 +689,10 @@ int unzip_main(int argc, char **argv)
|
||||
my_fgets80(key_buf);
|
||||
i = key_buf[0];
|
||||
}
|
||||
} else { /* File is not regular file */
|
||||
bb_error_msg_and_die("'%s' exists but is not regular file", dst_fn);
|
||||
} else {
|
||||
/* File is not regular file */
|
||||
bb_error_msg_and_die("'%s' exists but is not a %s",
|
||||
dst_fn, "regular file");
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user