Comments (2)
selmf
commented on May 26, 2024
Hi and thank you for the notice. You don't really need a prepared sample to test this issue. The problem is that unarr extracts the paths as they are recorded in the archives, so if somebody crafts an archive containing a path which leads to directory traversal and you pass this on to the filesystem, bad things can happen.
The fix for this is pretty straightforward. You need to check if the paths are valid before you write to them. If they are not, you either need to sanitize them or you mark the file to as corrupt (the path is, after all, non-spec and the archive was probably handcrafted as an attack) and you refuse to extract them.
I probably should also do something on my side to prevent such issues from ocuring, but this needs a bit of research and consideration so I don't screw things up.
from unarr.
gen2brain
commented on May 26, 2024
Thanks, I pushed a fix here gen2brain/go-unarr@239ec40, I preferred to sanitize the entry name. It is easy to create an archive for testing:
import sys, tarfile
def main(argv=sys.argv):
tf = tarfile.open("test.tar", "w")
tf.add("/etc/protocols", "test/../../../../../../../../../../../tmp/test.txt")
tf.close()
return
if __name__ == '__main__':
main()
from unarr.
Related Issues (16)
- 1.0.1: version problems. HOT 5
- Cannot unarchive 7z files HOT 6
- Missing `raw` parameter in `x_get_name` calls HOT 1
- API limits the maximum archive entry size on 32bit systems HOT 8
- QtWebApp HOT 1
- Please release a new version so a version with 7zip support can get packaged HOT 6
- 1.0.1: no ctest test units HOT 6
- pkg-config file is broken when CMAKE_INSTALL_{INCLUDE,LIB}DIR is absolute
- When un7zip size of 100GB.7z and 10GB.7z files report an error :'unarr: No valid RAR, ZIP, 7Z or TAR archive' HOT 3
- add new release to fix includedir and libdir in libunarr.pc HOT 3
- RAR 5.0 support needed HOT 18
- more clear API documentation for ar_parse_entry failed situation ? HOT 1
- memory leak if 7z is not valid HOT 1
- allocate very big memory for some invalid input HOT 5
- encoding problems in zip files HOT 22
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from unarr.