From 43ac4825d301da9f94671d8305ad04f55f3025f4 Mon Sep 17 00:00:00 2001 From: joerg Date: Tue, 14 Mar 2006 14:02:01 +0000 Subject: Normalise path names as relative under cwd as if they would have been extracted under chroot. Don't attempt to deal with existing symlinks to directories. This prevents directory traversal and therefore the creation of arbitrary files. Bump revision. --- archivers/fastjar/Makefile | 4 +-- archivers/fastjar/distinfo | 4 +-- archivers/fastjar/patches/patch-ad | 54 +++++++++++++++++++++++++++++++++++--- 3 files changed, 55 insertions(+), 7 deletions(-) (limited to 'archivers') diff --git a/archivers/fastjar/Makefile b/archivers/fastjar/Makefile index a04bb9173ee..d29b8e1d3d9 100644 --- a/archivers/fastjar/Makefile +++ b/archivers/fastjar/Makefile @@ -1,8 +1,8 @@ -# $NetBSD: Makefile,v 1.14 2006/03/04 21:28:52 jlam Exp $ +# $NetBSD: Makefile,v 1.15 2006/03/14 14:02:01 joerg Exp $ # DISTNAME= fastjar-0.93 -PKGREVISION= 2 +PKGREVISION= 3 CATEGORIES= archivers MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=fastjar/} EXTRACT_SUFX= .tgz diff --git a/archivers/fastjar/distinfo b/archivers/fastjar/distinfo index b0842c66fd3..ba2f7b96c2e 100644 --- a/archivers/fastjar/distinfo +++ b/archivers/fastjar/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.10 2005/12/01 17:01:25 rillig Exp $ +$NetBSD: distinfo,v 1.11 2006/03/14 14:02:01 joerg Exp $ SHA1 (fastjar-0.93.tgz) = 74acc8e8a920ea6da18a180cd0a691c5d7c4699f RMD160 (fastjar-0.93.tgz) = 1627f2316cc7bca6a477011d1b812b140900d987 @@ -6,4 +6,4 @@ Size (fastjar-0.93.tgz) = 62419 bytes SHA1 (patch-aa) = 12cc5397a89c18d239164caa3955121ca6d01de0 SHA1 (patch-ab) = c13f46e1a3e60a3bbe656af609a5c9fb047a4ca3 SHA1 (patch-ac) = ce8eefb978a93d0043f8b98fbf4049f022ce663c -SHA1 (patch-ad) = 3d0a5c0afc02b1bee58c415f3b3f2691d0e0dcda +SHA1 (patch-ad) = c988c11e01c364d94a7a12c3eb4dc933b12861a0 diff --git a/archivers/fastjar/patches/patch-ad b/archivers/fastjar/patches/patch-ad index 832c8421ba0..63a3b1b1039 100644 --- a/archivers/fastjar/patches/patch-ad +++ b/archivers/fastjar/patches/patch-ad @@ -1,9 +1,57 @@ -$NetBSD: patch-ad,v 1.4 2005/12/01 17:01:25 rillig Exp $ +$NetBSD: patch-ad,v 1.5 2006/03/14 14:02:01 joerg Exp $ ---- jartool.c.orig 2001-01-11 00:38:15.000000000 -0800 +--- jartool.c.orig 2001-01-11 09:38:15.000000000 +0100 +++ jartool.c -@@ -171,4 +171,2 @@ +@@ -171,4 +171,2 @@ static char rcsid[] = "$Id: jartool.c,v -extern int errno; - void usage(char*); +@@ -1143,2 +1141,27 @@ int create_central_header(int fd){ + ++static void canonical_filename(char *filename) ++{ ++ char *iterator, *iterator2; ++ ++ for (;;) { ++ if (*filename == '/') ++ memmove(filename, filename + 1, strlen(filename)); ++ else if (filename[0] == '.' && filename[1] == '/') ++ memmove(filename, filename + 2, strlen(filename) - 1); ++ else if (filename[0] == '.' && filename[1] == '.' && filename[2] == '/') ++ memmove(filename, filename + 3, strlen(filename) - 2); ++ else if ((iterator = strstr(filename, "//")) != NULL) ++ memmove(iterator, iterator + 1, strlen(iterator)); ++ else if ((iterator = strstr(filename, "/./")) != NULL) ++ memmove(iterator, iterator + 2, strlen(iterator) - 1); ++ else if ((iterator = strstr(filename, "/../")) != NULL) { ++ for (iterator2 = iterator - 1; iterator2 > filename && *iterator2 != '/'; --iterator2) ++ continue; ++ /* iterator2 >= filename, handle the initial slash above, if necessary */ ++ memmove(iterator2, iterator + 3, strlen(iterator) - 2); ++ } else ++ break; ++ } ++} ++ + int extract_jar(int fd, char **files, int file_num){ +@@ -1251,2 +1274,9 @@ int extract_jar(int fd, char **files, in + ++ canonical_filename(filename); ++ ++ if (*filename == '\0') { ++ fprintf(stderr, "Error extracting JAR archive, empty file name!\n"); ++ exit(1); ++ } ++ + #ifdef DEBUG +@@ -1563,2 +1593,9 @@ int list_jar(int fd, char **files, int f + filename[fnlen] = '\0'; ++ ++ canonical_filename(filename); ++ if (*filename == '\0') { ++ fprintf(stderr, "Error extracting JAR archive, empty file name!\n"); ++ exit(1); ++ } ++ + -- cgit v1.2.3