Normalise path names as relative under cwd as if they would have been

extracted under chroot. Don't attempt to deal with existing symlinks
to directories. This prevents directory traversal and therefore the
creation of arbitrary files. Bump revision.

3 files changed, 55 insertions, 7 deletions

diff --git a/archivers/fastjar/Makefile b/archivers/fastjar/Makefile
index a04bb9173ee..d29b8e1d3d9 100644
--- a/archivers/fastjar/Makefile
+++ b/archivers/fastjar/Makefile
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.14 2006/03/04 21:28:52 jlam Exp $
+# $NetBSD: Makefile,v 1.15 2006/03/14 14:02:01 joerg Exp $
 #
 
 DISTNAME=	fastjar-0.93
-PKGREVISION=	2
+PKGREVISION=	3
 CATEGORIES=	archivers
 MASTER_SITES=	${MASTER_SITE_SOURCEFORGE:=fastjar/}
 EXTRACT_SUFX=	.tgz
diff --git a/archivers/fastjar/distinfo b/archivers/fastjar/distinfo
index b0842c66fd3..ba2f7b96c2e 100644
--- a/archivers/fastjar/distinfo
+++ b/archivers/fastjar/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.10 2005/12/01 17:01:25 rillig Exp $
+$NetBSD: distinfo,v 1.11 2006/03/14 14:02:01 joerg Exp $
 
 SHA1 (fastjar-0.93.tgz) = 74acc8e8a920ea6da18a180cd0a691c5d7c4699f
 RMD160 (fastjar-0.93.tgz) = 1627f2316cc7bca6a477011d1b812b140900d987
@@ -6,4 +6,4 @@ Size (fastjar-0.93.tgz) = 62419 bytes
 SHA1 (patch-aa) = 12cc5397a89c18d239164caa3955121ca6d01de0
 SHA1 (patch-ab) = c13f46e1a3e60a3bbe656af609a5c9fb047a4ca3
 SHA1 (patch-ac) = ce8eefb978a93d0043f8b98fbf4049f022ce663c
-SHA1 (patch-ad) = 3d0a5c0afc02b1bee58c415f3b3f2691d0e0dcda
+SHA1 (patch-ad) = c988c11e01c364d94a7a12c3eb4dc933b12861a0
diff --git a/archivers/fastjar/patches/patch-ad b/archivers/fastjar/patches/patch-ad
index 832c8421ba0..63a3b1b1039 100644
--- a/archivers/fastjar/patches/patch-ad
+++ b/archivers/fastjar/patches/patch-ad
@@ -1,9 +1,57 @@
-$NetBSD: patch-ad,v 1.4 2005/12/01 17:01:25 rillig Exp $
+$NetBSD: patch-ad,v 1.5 2006/03/14 14:02:01 joerg Exp $
 
---- jartool.c.orig	2001-01-11 00:38:15.000000000 -0800
+--- jartool.c.orig	2001-01-11 09:38:15.000000000 +0100
 +++ jartool.c
-@@ -171,4 +171,2 @@
+@@ -171,4 +171,2 @@ static char rcsid[] = "$Id: jartool.c,v 
  
 -extern int errno;
 -
  void usage(char*);
+@@ -1143,2 +1141,27 @@ int create_central_header(int fd){
+ 
++static void canonical_filename(char *filename)
++{
++    char *iterator, *iterator2;
++
++    for (;;) {
++	if (*filename == '/')
++	    memmove(filename, filename + 1, strlen(filename));
++	else if (filename[0] == '.' && filename[1] == '/')
++	    memmove(filename, filename + 2, strlen(filename) - 1);
++	else if (filename[0] == '.' && filename[1] == '.' && filename[2] == '/')
++	    memmove(filename, filename + 3, strlen(filename) - 2);
++	else if ((iterator = strstr(filename, "//")) != NULL)
++	    memmove(iterator, iterator + 1, strlen(iterator));
++	else if ((iterator = strstr(filename, "/./")) != NULL)
++	    memmove(iterator, iterator + 2, strlen(iterator) - 1);
++	else if ((iterator = strstr(filename, "/../")) != NULL) {
++	    for (iterator2 = iterator - 1; iterator2 > filename && *iterator2 != '/'; --iterator2)
++		continue;
++	    /* iterator2 >= filename, handle the initial slash above, if necessary */
++	    memmove(iterator2, iterator + 3, strlen(iterator) - 2);
++	} else
++	    break;
++    }
++}
++
+ int extract_jar(int fd, char **files, int file_num){
+@@ -1251,2 +1274,9 @@ int extract_jar(int fd, char **files, in
+ 
++     canonical_filename(filename);
++
++     if (*filename == '\0') {
++        fprintf(stderr, "Error extracting JAR archive, empty file name!\n");
++        exit(1);
++      }
++
+ #ifdef DEBUG    
+@@ -1563,2 +1593,9 @@ int list_jar(int fd, char **files, int f
+       filename[fnlen] = '\0';
++
++      canonical_filename(filename);
++      if (*filename == '\0') {
++          fprintf(stderr, "Error extracting JAR archive, empty file name!\n");
++          exit(1);
++      }
++
+