aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorache <ache@FreeBSD.org>2003-07-28 22:43:08 +0800
committerache <ache@FreeBSD.org>2003-07-28 22:43:08 +0800
commit799a7b2be0ed313d39f7a392a1e07a95878e8b51 (patch)
tree520006d97cc8b318a07b26c5ec506251f4fdd2be
parentf4903edb8c28c943ecf44747778f57a6451df103 (diff)
downloadfreebsd-ports-gnome-799a7b2be0ed313d39f7a392a1e07a95878e8b51.tar.gz
freebsd-ports-gnome-799a7b2be0ed313d39f7a392a1e07a95878e8b51.tar.zst
freebsd-ports-gnome-799a7b2be0ed313d39f7a392a1e07a95878e8b51.zip
Close vulnerability with control char between two dots.
Allow 255 char in file names.
-rw-r--r--archivers/unzip/Makefile1
-rw-r--r--archivers/unzip/files/patch-ab90
2 files changed, 91 insertions, 0 deletions
diff --git a/archivers/unzip/Makefile b/archivers/unzip/Makefile
index 05fadfad2b30..feba65b0e802 100644
--- a/archivers/unzip/Makefile
+++ b/archivers/unzip/Makefile
@@ -7,6 +7,7 @@
PORTNAME= unzip
PORTVERSION= 5.50
+PORTREVISION= 1
CATEGORIES= archivers
MASTER_SITES= ftp://ftp.info-zip.org/pub/infozip/src/ \
${MASTER_SITE_TEX_CTAN:S,%SUBDIR%,tools/zip/info-zip/src/,}
diff --git a/archivers/unzip/files/patch-ab b/archivers/unzip/files/patch-ab
new file mode 100644
index 000000000000..6a26c3569609
--- /dev/null
+++ b/archivers/unzip/files/patch-ab
@@ -0,0 +1,90 @@
+--- unix/unix.c.orig Tue Jan 22 01:54:42 2002
++++ unix/unix.c Mon Jul 28 18:36:17 2003
+@@ -421,7 +421,8 @@
+ */
+ {
+ char pathcomp[FILNAMSIZ]; /* path-component buffer */
+- char *pp, *cp=(char *)NULL; /* character pointers */
++ char *pp, *cp=(char *)NULL, /* character pointers */
++ *dp=(char *)NULL;
+ char *lastsemi=(char *)NULL; /* pointer to last semi-colon in pathcomp */
+ #ifdef ACORN_FTYPE_NFS
+ char *lastcomma=(char *)NULL; /* pointer to last comma in pathcomp */
+@@ -429,6 +430,7 @@
+ #endif
+ int quote = FALSE; /* flags */
+ int killed_ddot = FALSE; /* is set when skipping "../" pathcomp */
++ int snarf_ddot = FALSE; /* Is set while scanning for "../" */
+ int error = MPN_OK;
+ register unsigned workch; /* hold the character being tested */
+
+@@ -467,6 +469,9 @@
+ while ((workch = (uch)*cp++) != 0) {
+
+ if (quote) { /* if character quoted, */
++ if ((pp == pathcomp) && (workch == '.'))
++ /* Oh no you don't... */
++ goto ddot_hack;
+ *pp++ = (char)workch; /* include it literally */
+ quote = FALSE;
+ } else
+@@ -481,15 +486,44 @@
+ break;
+
+ case '.':
+- if (pp == pathcomp) { /* nothing appended yet... */
++ if (pp == pathcomp) {
++ddot_hack:
++ /* nothing appended yet... */
+ if (*cp == '/') { /* don't bother appending "./" to */
+ ++cp; /* the path: skip behind the '/' */
+ break;
+- } else if (!uO.ddotflag && *cp == '.' && cp[1] == '/') {
+- /* "../" dir traversal detected */
+- cp += 2; /* skip over behind the '/' */
+- killed_ddot = TRUE; /* set "show message" flag */
+- break;
++ } else if (!uO.ddotflag) {
++
++ /*
++ * SECURITY: Skip past control characters if the user
++ * didn't OK use of absolute pathnames. lhh - this is
++ * a very quick, ugly, inefficient fix.
++ */
++ dp = cp;
++ do {
++ workch = (uch)(*dp);
++ if (workch == '/' && snarf_ddot) {
++ /* "../" dir traversal detected */
++ cp = dp + 1; /* skip past the '/' */
++ killed_ddot = TRUE; /* set "show msg" flag */
++ break;
++ } else if (workch == '.' && !snarf_ddot) {
++ snarf_ddot = TRUE;
++ } else if (isprint(workch) ||
++ ((workch > 127) && (workch <= 255))) {
++ /*
++ * Since we found a printable, non-ctrl char,
++ * we can stop looking for '../', the amount
++ * in ../!
++ */
++ break;
++ }
++
++ dp++;
++ } while (*dp != 0);
++
++ if (killed_ddot)
++ break;
+ }
+ }
+ *pp++ = '.';
+@@ -519,7 +553,7 @@
+
+ default:
+ /* allow European characters in filenames: */
+- if (isprint(workch) || (128 <= workch && workch <= 254))
++ if (isprint(workch) || (128 <= workch && workch <= 255))
+ *pp++ = (char)workch;
+ } /* end switch */
+