diff options
author | Andrey A. Chernov <ache@FreeBSD.org> | 2003-07-29 03:41:54 +0000 |
---|---|---|
committer | Andrey A. Chernov <ache@FreeBSD.org> | 2003-07-29 03:41:54 +0000 |
commit | a64b51263a686de76321c6baecd611e2e35e3297 (patch) | |
tree | 365f4ec0d3161e455eb63495ea91e51ac85f8d0d /archivers | |
parent | ef6a13a247eab3f9425d49992f23d7749e4b67d6 (diff) |
Use better ../ & control vulnerability fix
Submitted by: ITO Tsuyoshi <tsuyoshi@is.s.u-tokyo.ac.jp>
Notes
Notes:
svn path=/head/; revision=85805
Diffstat (limited to 'archivers')
-rw-r--r-- | archivers/unzip/Makefile | 2 | ||||
-rw-r--r-- | archivers/unzip/files/patch-ab | 118 |
2 files changed, 51 insertions, 69 deletions
diff --git a/archivers/unzip/Makefile b/archivers/unzip/Makefile index feba65b0e802..b73587689947 100644 --- a/archivers/unzip/Makefile +++ b/archivers/unzip/Makefile @@ -7,7 +7,7 @@ PORTNAME= unzip PORTVERSION= 5.50 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= archivers MASTER_SITES= ftp://ftp.info-zip.org/pub/infozip/src/ \ ${MASTER_SITE_TEX_CTAN:S,%SUBDIR%,tools/zip/info-zip/src/,} diff --git a/archivers/unzip/files/patch-ab b/archivers/unzip/files/patch-ab index 6a26c3569609..718f5921b89b 100644 --- a/archivers/unzip/files/patch-ab +++ b/archivers/unzip/files/patch-ab @@ -1,90 +1,72 @@ --- unix/unix.c.orig Tue Jan 22 01:54:42 2002 -+++ unix/unix.c Mon Jul 28 18:36:17 2003 -@@ -421,7 +421,8 @@ - */ - { - char pathcomp[FILNAMSIZ]; /* path-component buffer */ -- char *pp, *cp=(char *)NULL; /* character pointers */ -+ char *pp, *cp=(char *)NULL, /* character pointers */ -+ *dp=(char *)NULL; - char *lastsemi=(char *)NULL; /* pointer to last semi-colon in pathcomp */ - #ifdef ACORN_FTYPE_NFS - char *lastcomma=(char *)NULL; /* pointer to last comma in pathcomp */ -@@ -429,6 +430,7 @@ - #endif - int quote = FALSE; /* flags */ ++++ unix/unix.c Tue Jul 29 07:36:54 2003 +@@ -431,6 +431,7 @@ int killed_ddot = FALSE; /* is set when skipping "../" pathcomp */ -+ int snarf_ddot = FALSE; /* Is set while scanning for "../" */ int error = MPN_OK; register unsigned workch; /* hold the character being tested */ ++ int ignore_pathcomp; + + + /*--------------------------------------------------------------------------- +@@ -466,33 +467,34 @@ -@@ -467,6 +469,9 @@ while ((workch = (uch)*cp++) != 0) { - if (quote) { /* if character quoted, */ -+ if ((pp == pathcomp) && (workch == '.')) -+ /* Oh no you don't... */ -+ goto ddot_hack; - *pp++ = (char)workch; /* include it literally */ +- if (quote) { /* if character quoted, */ +- *pp++ = (char)workch; /* include it literally */ ++ if (quote) { /* if character quoted, include it literally */ ++ /* unless it is a slash */ ++ /* A slash should be converted to an underscore */ ++ *pp++ = (workch == '/' ? '_' : (char)workch); quote = FALSE; } else -@@ -481,15 +486,44 @@ - break; - - case '.': + switch (workch) { + case '/': /* can assume -j flag not given */ + *pp = '\0'; +- if (((error = checkdir(__G__ pathcomp, APPEND_DIR)) & MPN_MASK) +- > MPN_INF_TRUNC) +- return error; +- pp = pathcomp; /* reset conversion buffer for next piece */ +- lastsemi = (char *)NULL; /* leave directory semi-colons alone */ +- break; +- +- case '.': - if (pp == pathcomp) { /* nothing appended yet... */ -+ if (pp == pathcomp) { -+ddot_hack: -+ /* nothing appended yet... */ - if (*cp == '/') { /* don't bother appending "./" to */ - ++cp; /* the path: skip behind the '/' */ - break; +- if (*cp == '/') { /* don't bother appending "./" to */ +- ++cp; /* the path: skip behind the '/' */ +- break; - } else if (!uO.ddotflag && *cp == '.' && cp[1] == '/') { -- /* "../" dir traversal detected */ ++ ignore_pathcomp = FALSE; ++ if (*pathcomp == '.') { ++ if (pathcomp[1] == '\0') { ++ /* don't bother appending "./" to the path */ ++ ignore_pathcomp = TRUE; ++ } ++ else if (pathcomp[1] == '.' && pathcomp[2] == '\0' && !uO.ddotflag) { + /* "../" dir traversal detected */ - cp += 2; /* skip over behind the '/' */ -- killed_ddot = TRUE; /* set "show message" flag */ ++ ignore_pathcomp = TRUE; + killed_ddot = TRUE; /* set "show message" flag */ - break; -+ } else if (!uO.ddotflag) { -+ -+ /* -+ * SECURITY: Skip past control characters if the user -+ * didn't OK use of absolute pathnames. lhh - this is -+ * a very quick, ugly, inefficient fix. -+ */ -+ dp = cp; -+ do { -+ workch = (uch)(*dp); -+ if (workch == '/' && snarf_ddot) { -+ /* "../" dir traversal detected */ -+ cp = dp + 1; /* skip past the '/' */ -+ killed_ddot = TRUE; /* set "show msg" flag */ -+ break; -+ } else if (workch == '.' && !snarf_ddot) { -+ snarf_ddot = TRUE; -+ } else if (isprint(workch) || -+ ((workch > 127) && (workch <= 255))) { -+ /* -+ * Since we found a printable, non-ctrl char, -+ * we can stop looking for '../', the amount -+ * in ../! -+ */ -+ break; -+ } -+ -+ dp++; -+ } while (*dp != 0); -+ -+ if (killed_ddot) -+ break; } } - *pp++ = '.'; -@@ -519,7 +553,7 @@ +- *pp++ = '.'; ++ if (!ignore_pathcomp) { ++ if (((error = checkdir(__G__ pathcomp, APPEND_DIR)) & MPN_MASK) ++ > MPN_INF_TRUNC) ++ return error; ++ } ++ pp = pathcomp; /* reset conversion buffer for next piece */ ++ lastsemi = (char *)NULL; /* leave directory semi-colons alone */ + break; + + case ';': /* VMS version (or DEC-20 attrib?) */ +@@ -519,7 +521,7 @@ default: /* allow European characters in filenames: */ - if (isprint(workch) || (128 <= workch && workch <= 254)) -+ if (isprint(workch) || (128 <= workch && workch <= 255)) ++ if (isprint(workch) || (128 <= workch && workch <= 255)) *pp++ = (char)workch; } /* end switch */ |