summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorjoerg <joerg@pkgsrc.org>2006-03-14 14:02:01 +0000
committerjoerg <joerg@pkgsrc.org>2006-03-14 14:02:01 +0000
commit43ac4825d301da9f94671d8305ad04f55f3025f4 (patch)
tree5330290097b251fa22df0189b11cfe71c005ad81
parent48eed22b417ccb6f0e79c1427126e6b86132d0d7 (diff)
downloadpkgsrc-43ac4825d301da9f94671d8305ad04f55f3025f4.tar.gz
Normalise path names as relative under cwd as if they would have been
extracted under chroot. Don't attempt to deal with existing symlinks to directories. This prevents directory traversal and therefore the creation of arbitrary files. Bump revision.
-rw-r--r--archivers/fastjar/Makefile4
-rw-r--r--archivers/fastjar/distinfo4
-rw-r--r--archivers/fastjar/patches/patch-ad54
3 files changed, 55 insertions, 7 deletions
diff --git a/archivers/fastjar/Makefile b/archivers/fastjar/Makefile
index a04bb9173ee..d29b8e1d3d9 100644
--- a/archivers/fastjar/Makefile
+++ b/archivers/fastjar/Makefile
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.14 2006/03/04 21:28:52 jlam Exp $
+# $NetBSD: Makefile,v 1.15 2006/03/14 14:02:01 joerg Exp $
#
DISTNAME= fastjar-0.93
-PKGREVISION= 2
+PKGREVISION= 3
CATEGORIES= archivers
MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=fastjar/}
EXTRACT_SUFX= .tgz
diff --git a/archivers/fastjar/distinfo b/archivers/fastjar/distinfo
index b0842c66fd3..ba2f7b96c2e 100644
--- a/archivers/fastjar/distinfo
+++ b/archivers/fastjar/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.10 2005/12/01 17:01:25 rillig Exp $
+$NetBSD: distinfo,v 1.11 2006/03/14 14:02:01 joerg Exp $
SHA1 (fastjar-0.93.tgz) = 74acc8e8a920ea6da18a180cd0a691c5d7c4699f
RMD160 (fastjar-0.93.tgz) = 1627f2316cc7bca6a477011d1b812b140900d987
@@ -6,4 +6,4 @@ Size (fastjar-0.93.tgz) = 62419 bytes
SHA1 (patch-aa) = 12cc5397a89c18d239164caa3955121ca6d01de0
SHA1 (patch-ab) = c13f46e1a3e60a3bbe656af609a5c9fb047a4ca3
SHA1 (patch-ac) = ce8eefb978a93d0043f8b98fbf4049f022ce663c
-SHA1 (patch-ad) = 3d0a5c0afc02b1bee58c415f3b3f2691d0e0dcda
+SHA1 (patch-ad) = c988c11e01c364d94a7a12c3eb4dc933b12861a0
diff --git a/archivers/fastjar/patches/patch-ad b/archivers/fastjar/patches/patch-ad
index 832c8421ba0..63a3b1b1039 100644
--- a/archivers/fastjar/patches/patch-ad
+++ b/archivers/fastjar/patches/patch-ad
@@ -1,9 +1,57 @@
-$NetBSD: patch-ad,v 1.4 2005/12/01 17:01:25 rillig Exp $
+$NetBSD: patch-ad,v 1.5 2006/03/14 14:02:01 joerg Exp $
---- jartool.c.orig 2001-01-11 00:38:15.000000000 -0800
+--- jartool.c.orig 2001-01-11 09:38:15.000000000 +0100
+++ jartool.c
-@@ -171,4 +171,2 @@
+@@ -171,4 +171,2 @@ static char rcsid[] = "$Id: jartool.c,v
-extern int errno;
-
void usage(char*);
+@@ -1143,2 +1141,27 @@ int create_central_header(int fd){
+
++static void canonical_filename(char *filename)
++{
++ char *iterator, *iterator2;
++
++ for (;;) {
++ if (*filename == '/')
++ memmove(filename, filename + 1, strlen(filename));
++ else if (filename[0] == '.' && filename[1] == '/')
++ memmove(filename, filename + 2, strlen(filename) - 1);
++ else if (filename[0] == '.' && filename[1] == '.' && filename[2] == '/')
++ memmove(filename, filename + 3, strlen(filename) - 2);
++ else if ((iterator = strstr(filename, "//")) != NULL)
++ memmove(iterator, iterator + 1, strlen(iterator));
++ else if ((iterator = strstr(filename, "/./")) != NULL)
++ memmove(iterator, iterator + 2, strlen(iterator) - 1);
++ else if ((iterator = strstr(filename, "/../")) != NULL) {
++ for (iterator2 = iterator - 1; iterator2 > filename && *iterator2 != '/'; --iterator2)
++ continue;
++ /* iterator2 >= filename, handle the initial slash above, if necessary */
++ memmove(iterator2, iterator + 3, strlen(iterator) - 2);
++ } else
++ break;
++ }
++}
++
+ int extract_jar(int fd, char **files, int file_num){
+@@ -1251,2 +1274,9 @@ int extract_jar(int fd, char **files, in
+
++ canonical_filename(filename);
++
++ if (*filename == '\0') {
++ fprintf(stderr, "Error extracting JAR archive, empty file name!\n");
++ exit(1);
++ }
++
+ #ifdef DEBUG
+@@ -1563,2 +1593,9 @@ int list_jar(int fd, char **files, int f
+ filename[fnlen] = '\0';
++
++ canonical_filename(filename);
++ if (*filename == '\0') {
++ fprintf(stderr, "Error extracting JAR archive, empty file name!\n");
++ exit(1);
++ }
++
+