This is an automated email from the git hooks/post-receive script. guillem pushed a commit to branch master in repository dpkg.
View the commit online: https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=65d2f06ecf7ab643cf4e6767a2f25f0a022c2768 commit 65d2f06ecf7ab643cf4e6767a2f25f0a022c2768 Author: Guillem Jover <[email protected]> AuthorDate: Sat Feb 29 20:36:41 2020 +0100 Dpkg::Source::Package: Detect directory traversals under debian directory We are creating at least the debian/source/format file on extract, so we need to detect and error out on any directory traversal attempts. Reported-by: Felix Lechner <[email protected]> --- debian/changelog | 2 ++ scripts/Dpkg/Source/Package.pm | 21 +++++++++++++++++++++ 2 files changed, 23 insertions(+) diff --git a/debian/changelog b/debian/changelog index a065cf71e..9aa69aa07 100644 --- a/debian/changelog +++ b/debian/changelog @@ -116,6 +116,8 @@ dpkg (1.20.0) UNRELEASED; urgency=medium - Dpkg::Source::Package::V3::Native: Do not say v1.0 for 3.0 formats. - Dpkg::Dist::Files: On filename parse error say file instead of package. - Dpkg::Substvars: Add new vendor:Name and vendor:Id substvars. + - Dpkg::Source::Package: Detect directory traversals under debian + directory. Reported by Felix Lechner <[email protected]>. * Documentation: - man: Fix uncommon wording constructs. - man: Use a minus sign for a literal string. diff --git a/scripts/Dpkg/Source/Package.pm b/scripts/Dpkg/Source/Package.pm index da622669b..6e3cec993 100644 --- a/scripts/Dpkg/Source/Package.pm +++ b/scripts/Dpkg/Source/Package.pm @@ -44,7 +44,9 @@ our @EXPORT_OK = qw( use Exporter qw(import); use POSIX qw(:errno_h :sys_wait_h); use Carp; +use Cwd qw(realpath); use File::Temp; +use File::Find; use File::Copy qw(cp); use File::Basename; @@ -528,6 +530,25 @@ sub extract { # Try extract $self->do_extract($newdirectory); + # Check for directory traversals. + if (not $self->{options}{skip_debianization}) { + my $canon_newdir = realpath($newdirectory); + my $check_symlinks = sub { + my $canon_pathname = realpath($_); + return if $canon_pathname =~ m/^\Q$canon_newdir\E/; + + error(g_("pathname '%s' points outside source root"), $_); + }; + # We need to add a trailing slash to handle the debian directory + # possibly being a symlink. + find({ + wanted => $check_symlinks, + no_chdir => 1, + follow => 1, + follow_skip => 2, + }, "$newdirectory/debian/"); + } + # Store format if non-standard so that next build keeps the same format if ($self->{fields}{'Format'} and $self->{fields}{'Format'} ne '1.0' and -- Dpkg.Org's dpkg
