Hi Jakub, On Sun, 4 Jan 2015 18:12:01 +0100, Jakub Wilk <[email protected]> wrote: > gcab is susceptible to directory traversal:
Thanks for spotting this, I'm going to submit the following patch which
handles all your traversal cases (albeit in a somewhat ugly manner for
relative traversals):
diff --git a/libgcab/gcab-folder.c b/libgcab/gcab-folder.c
index a140e2c..f96e04f 100644
--- a/libgcab/gcab-folder.c
+++ b/libgcab/gcab-folder.c
@@ -362,9 +362,25 @@ gcab_folder_extract (GCabFolder *self,
fname[i] = '/';
GFile *gfile = g_file_resolve_relative_path (path, fname);
- GFile *parent = g_file_get_parent (gfile);
g_free (fname);
+ if (!g_file_has_prefix(gfile, path)) {
+ // "Rebase" the file in the given path, to ensure we never escape
it
+ char *rawpath = g_file_get_path(gfile);
+ if (rawpath != NULL) {
+ char *newpath = rawpath;
+ while (*newpath != 0 && *newpath == G_DIR_SEPARATOR) {
+ newpath++;
+ }
+ GFile *newgfile = g_file_resolve_relative_path (path, newpath);
+ g_free (rawpath);
+ g_object_unref (gfile);
+ gfile = newgfile;
+ }
+ }
+
+ GFile *parent = g_file_get_parent (gfile);
+
if (!g_file_make_directory_with_parents (parent, cancellable,
&my_error)) {
if (g_error_matches (my_error, G_IO_ERROR, G_IO_ERROR_EXISTS))
g_clear_error (&my_error);
Can you spot any issues there?
Regards,
Stephen
pgpMJoVVxEddo.pgp
Description: OpenPGP digital signature
