Skip to content

GitLab

Commit 92f679b8 authored by mcdruid's avatar mcdruid
Browse files

SA-CORE-2021-004 by mcdruid, michieltcs, xjm, Heine, larowlan

parent 62072493
Hide whitespace changes
Inline Side-by-side
modules/system/system.tar.inc
View file @ 92f679b8
......@@ -2178,14 +2178,6 @@ public function _extractList(
}
}
} elseif ($v_header['typeflag'] == "2") {
if (strpos(realpath(dirname($v_header['link'])), realpath($p_path)) !== 0) {
$this->_error(
'Out-of-path file extraction {'
. $v_header['filename'] . ' --> ' .
$v_header['link'] . '}'
);
return false;
}
if (!$p_symlinks) {
$this->_warning('Symbolic links are not allowed. '
. 'Unable to extract {'
......@@ -2193,6 +2185,40 @@ public function _extractList(
);
return false;
}
$absolute_link = FALSE;
$link_depth = 0;
if (strpos($v_header['link'], "/") === 0 || strpos($v_header['link'], ':') !== FALSE) {
$absolute_link = TRUE;
}
else {
$s_filename = preg_replace('@^' . preg_quote($p_path) . '@', "", $v_header['filename']);
$s_linkname = str_replace('\\', '/', $v_header['link']);
foreach (explode("/", $s_filename) as $dir) {
if ($dir === "..") {
$link_depth--;
} elseif ($dir !== "" && $dir !== "." ) {
$link_depth++;
}
}
foreach (explode("/", $s_linkname) as $dir){
if ($link_depth <= 0) {
break;
}
if ($dir === "..") {
$link_depth--;
} elseif ($dir !== "" && $dir !== ".") {
$link_depth++;
}
}
}
if ($absolute_link || $link_depth <= 0) {
$this->_error(
'Out-of-path file extraction {'
. $v_header['filename'] . ' --> ' .
$v_header['link'] . '}'
);
return false;
}
if (@file_exists($v_header['filename'])) {
@drupal_unlink($v_header['filename']);
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment