emaste created this revision. emaste added a subscriber: freebsd-toolchain.
REVISION SUMMARY Set ARCHIVE_EXTRACT_SECURE_SYMLINKS and ARCHIVE_EXTRACT_SECURE_NODOTDOT as in bsdtar to prevent extraction of archive entries whose pathnames contain .. or whose target directory would be altered by a symlink. Also disallow absolute pathnames. We don't currently provide an option to disable this behaviour (as bsdtar's -P does). It is unlikely to be a problem in practice for ar(1), but the -P option is available if we want to allow it. Reported by: Alexander Cherepanov <chere...@mccme.ru> Elftoolchain ticket: 474 TEST PLAN From https://sourceforge.net/p/elftoolchain/tickets/474/ ~~~ printf '!<arch>\n%-48s%-10s`\n%-48s%-10s`\n' /tmp/file 0 ../file 0 > test.a n% ./ar -xv test.a x - /tmp/file ar: warning: Absolute path '/tmp/file' x - ../file ar: warning: Path contains '..' ~~~ REVISION DETAIL https://reviews.freebsd.org/D1524 AFFECTED FILES usr.bin/ar/read.c To: emaste Cc: freebsd-toolchain _______________________________________________ freebsd-toolchain@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-toolchain To unsubscribe, send any mail to "freebsd-toolchain-unsubscr...@freebsd.org"
