diff options
author | ache <ache@FreeBSD.org> | 2003-07-28 22:43:08 +0800 |
---|---|---|
committer | ache <ache@FreeBSD.org> | 2003-07-28 22:43:08 +0800 |
commit | 799a7b2be0ed313d39f7a392a1e07a95878e8b51 (patch) | |
tree | 520006d97cc8b318a07b26c5ec506251f4fdd2be | |
parent | f4903edb8c28c943ecf44747778f57a6451df103 (diff) | |
download | freebsd-ports-gnome-799a7b2be0ed313d39f7a392a1e07a95878e8b51.tar.gz freebsd-ports-gnome-799a7b2be0ed313d39f7a392a1e07a95878e8b51.tar.zst freebsd-ports-gnome-799a7b2be0ed313d39f7a392a1e07a95878e8b51.zip |
Close vulnerability with control char between two dots.
Allow 255 char in file names.
-rw-r--r-- | archivers/unzip/Makefile | 1 | ||||
-rw-r--r-- | archivers/unzip/files/patch-ab | 90 |
2 files changed, 91 insertions, 0 deletions
diff --git a/archivers/unzip/Makefile b/archivers/unzip/Makefile index 05fadfad2b30..feba65b0e802 100644 --- a/archivers/unzip/Makefile +++ b/archivers/unzip/Makefile @@ -7,6 +7,7 @@ PORTNAME= unzip PORTVERSION= 5.50 +PORTREVISION= 1 CATEGORIES= archivers MASTER_SITES= ftp://ftp.info-zip.org/pub/infozip/src/ \ ${MASTER_SITE_TEX_CTAN:S,%SUBDIR%,tools/zip/info-zip/src/,} diff --git a/archivers/unzip/files/patch-ab b/archivers/unzip/files/patch-ab new file mode 100644 index 000000000000..6a26c3569609 --- /dev/null +++ b/archivers/unzip/files/patch-ab @@ -0,0 +1,90 @@ +--- unix/unix.c.orig Tue Jan 22 01:54:42 2002 ++++ unix/unix.c Mon Jul 28 18:36:17 2003 +@@ -421,7 +421,8 @@ + */ + { + char pathcomp[FILNAMSIZ]; /* path-component buffer */ +- char *pp, *cp=(char *)NULL; /* character pointers */ ++ char *pp, *cp=(char *)NULL, /* character pointers */ ++ *dp=(char *)NULL; + char *lastsemi=(char *)NULL; /* pointer to last semi-colon in pathcomp */ + #ifdef ACORN_FTYPE_NFS + char *lastcomma=(char *)NULL; /* pointer to last comma in pathcomp */ +@@ -429,6 +430,7 @@ + #endif + int quote = FALSE; /* flags */ + int killed_ddot = FALSE; /* is set when skipping "../" pathcomp */ ++ int snarf_ddot = FALSE; /* Is set while scanning for "../" */ + int error = MPN_OK; + register unsigned workch; /* hold the character being tested */ + +@@ -467,6 +469,9 @@ + while ((workch = (uch)*cp++) != 0) { + + if (quote) { /* if character quoted, */ ++ if ((pp == pathcomp) && (workch == '.')) ++ /* Oh no you don't... */ ++ goto ddot_hack; + *pp++ = (char)workch; /* include it literally */ + quote = FALSE; + } else +@@ -481,15 +486,44 @@ + break; + + case '.': +- if (pp == pathcomp) { /* nothing appended yet... */ ++ if (pp == pathcomp) { ++ddot_hack: ++ /* nothing appended yet... */ + if (*cp == '/') { /* don't bother appending "./" to */ + ++cp; /* the path: skip behind the '/' */ + break; +- } else if (!uO.ddotflag && *cp == '.' && cp[1] == '/') { +- /* "../" dir traversal detected */ +- cp += 2; /* skip over behind the '/' */ +- killed_ddot = TRUE; /* set "show message" flag */ +- break; ++ } else if (!uO.ddotflag) { ++ ++ /* ++ * SECURITY: Skip past control characters if the user ++ * didn't OK use of absolute pathnames. lhh - this is ++ * a very quick, ugly, inefficient fix. ++ */ ++ dp = cp; ++ do { ++ workch = (uch)(*dp); ++ if (workch == '/' && snarf_ddot) { ++ /* "../" dir traversal detected */ ++ cp = dp + 1; /* skip past the '/' */ ++ killed_ddot = TRUE; /* set "show msg" flag */ ++ break; ++ } else if (workch == '.' && !snarf_ddot) { ++ snarf_ddot = TRUE; ++ } else if (isprint(workch) || ++ ((workch > 127) && (workch <= 255))) { ++ /* ++ * Since we found a printable, non-ctrl char, ++ * we can stop looking for '../', the amount ++ * in ../! ++ */ ++ break; ++ } ++ ++ dp++; ++ } while (*dp != 0); ++ ++ if (killed_ddot) ++ break; + } + } + *pp++ = '.'; +@@ -519,7 +553,7 @@ + + default: + /* allow European characters in filenames: */ +- if (isprint(workch) || (128 <= workch && workch <= 254)) ++ if (isprint(workch) || (128 <= workch && workch <= 255)) + *pp++ = (char)workch; + } /* end switch */ + |