summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSlávek Banko <slavek.banko@axis.cz>2016-10-23 10:48:01 +0200
committerSlávek Banko <slavek.banko@axis.cz>2016-10-23 10:48:13 +0200
commit7c619136c6f622c724c9057d8be9d0ed0527d75a (patch)
tree195c2368615d6f462cc9dce96b2b37acd3475e8b
parent9c010f4f9cdfcadd82351f15bedea029784e7bf1 (diff)
downloadtdelibs-7c619136c6f622c724c9057d8be9d0ed0527d75a.tar.gz
tdelibs-7c619136c6f622c724c9057d8be9d0ed0527d75a.zip
Fix security issue CVE-2016-6232
Based on https://quickgit.kde.org/?p=karchive.git&a=commitdiff&h=0cb243f6 Signed-off-by: Slávek Banko <slavek.banko@axis.cz> (cherry picked from commit 261a3b7a126b7a1d28e263085b85bf1905eb4c19)
-rw-r--r--tdeio/tdeio/karchive.cpp14
1 files changed, 12 insertions, 2 deletions
diff --git a/tdeio/tdeio/karchive.cpp b/tdeio/tdeio/karchive.cpp
index b0e0dc6ab..69e54d1b2 100644
--- a/tdeio/tdeio/karchive.cpp
+++ b/tdeio/tdeio/karchive.cpp
@@ -601,6 +601,7 @@ void KArchiveDirectory::addEntry( KArchiveEntry* entry )
void KArchiveDirectory::copyTo(const TQString& dest, bool recursiveCopy ) const
{
TQDir root;
+ const TQString destDir(TQDir(dest).absPath()); // get directory path without any "." or ".."
PosSortedPtrList fileList;
TQMap<int, TQString> fileToDir;
@@ -620,10 +621,19 @@ void KArchiveDirectory::copyTo(const TQString& dest, bool recursiveCopy ) const
TQValueStack<TQString> dirNameStack;
dirStack.push( this ); // init stack at current directory
- dirNameStack.push( dest ); // ... with given path
+ dirNameStack.push( destDir ); // ... with given path
do {
curDir = dirStack.pop();
- curDirName = dirNameStack.pop();
+
+ // extract only to specified folder if it is located within archive's extraction folder
+ // otherwise put file under root position in extraction folder
+ TQString curDirName = dirNameStack.pop();
+ if (!TQDir(curDirName).absPath().startsWith(destDir)) {
+ kdWarning() << "Attempted export into folder" << curDirName
+ << "which is outside of the extraction root folder" << destDir << "."
+ << "Changing export of contained files to extraction root folder.";
+ curDirName = destDir;
+ }
root.mkdir(curDirName);
dirEntries = curDir->entries();