Drupal
/
drupal
mirror of https://git.drupalcode.org/project/drupal.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

SA-CORE-2021-004 by mcdruid, michieltcs, xjm, Heine, larowlan

merge-requests/295/merge
mcdruid 2021-07-21 10:40:20 +01:00
parent 62072493fa
commit 92f679b84a
1 changed files with 34 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
modules/system/system.tar.inc
View File

@ -2178,14 +2178,6 @@ class Archive_Tar
} }
} }
} elseif ($v_header['typeflag'] == "2") { } elseif ($v_header['typeflag'] == "2") {
if (strpos(realpath(dirname($v_header['link'])), realpath($p_path)) !== 0) {
$this->_error(
'Out-of-path file extraction {'
. $v_header['filename'] . ' --> ' .
$v_header['link'] . '}'
);
return false;
}
if (!$p_symlinks) { if (!$p_symlinks) {
$this->_warning('Symbolic links are not allowed. ' $this->_warning('Symbolic links are not allowed. '
. 'Unable to extract {' . 'Unable to extract {'
@ -2193,6 +2185,40 @@ class Archive_Tar
); );
return false; return false;
} }
$absolute_link = FALSE;
$link_depth = 0;
if (strpos($v_header['link'], "/") === 0 || strpos($v_header['link'], ':') !== FALSE) {
$absolute_link = TRUE;
}
else {
$s_filename = preg_replace('@^' . preg_quote($p_path) . '@', "", $v_header['filename']);
$s_linkname = str_replace('\\', '/', $v_header['link']);
foreach (explode("/", $s_filename) as $dir) {
if ($dir === "..") {
$link_depth--;
} elseif ($dir !== "" && $dir !== "." ) {
$link_depth++;
}
}
foreach (explode("/", $s_linkname) as $dir){
if ($link_depth <= 0) {
break;
}
if ($dir === "..") {
$link_depth--;
} elseif ($dir !== "" && $dir !== ".") {
$link_depth++;
}
}
}
if ($absolute_link || $link_depth <= 0) {
$this->_error(
'Out-of-path file extraction {'
. $v_header['filename'] . ' --> ' .
$v_header['link'] . '}'
);
return false;
}
if (@file_exists($v_header['filename'])) { if (@file_exists($v_header['filename'])) {
@drupal_unlink($v_header['filename']); @drupal_unlink($v_header['filename']);
} }