On 2015-01-12 08:24, Tim Kientzle wrote:
>
>> On Jan 11, 2015, at 9:15 AM, Alexander Cherepanov <
cher...@mccme.ru> wrote:
>>
>> On 2015-01-10 08:33, Tim Kientzle wrote:
>>>> On Jan 9, 2015, at 5:50 AM, Alexander Cherepanov <
cher...@mccme.ru> wrote:
>>>> libarchive seems to be quite cautious in various regards and bsdtar does guard against directory traversals by default. Cool!
>>>>
>>>> bsdcpio, by default, rejects .. in file names and doesn't go through symlinks but happily extracts files using absolute paths:
>>>>
>>>> $ touch /tmp/abs
>>>> $ echo /tmp/abs | ./bsdcpio -ov > test.cpio
>>>> /tmp/abs
>>>> 1 block
>>>> $ rm /tmp/abs
>>>> $ ./bsdcpio -iv < test.cpio
>>>> /tmp/abs
>>>> 1 block
>>>> $ ls /tmp/abs
>>>> /tmp/abs
>>>>
>>>> Is it just an oversight or there are some reasons for this?
>>>
>>> Just an oversight.
>>>
>>> Patches to correct this would be much appreciated.
>>
>> The proper fix probably involves adding a new flag in libarchive or renaming/retargeting ARCHIVE_EXTRACT_SECURE_NODOTDOT. The interaction of this with interactive renaming in bsdcpio is not entirely clear: right now bsdcpio rejects names with '..' even if it's entered interactively. Not intuitive but I'm not sure if it's wrong or not. But I digressed…
>
> I’ll take a look at your patch this week.
Thanks.
> In bsdtar, this is handled as part of the renaming processing, and that would certainly be one way to add it to bsdcpio.
I've started from looking into bsdtar but it seems to be more
complicated in this regard. Then I found a comment "TODO: Publish the
path normalization routines in libarchive[...]" and figured that a
proper fix could be quite involving.
> But I think other libarchive users would benefit more from a much simpler approach:
>
> * Add a new flag ARCHIVE_EXTRACT_SECURE_NO_ABSOLUTE_PATHS
> * modify archive_write_disk to simply reject any path that is an absolute path.
>
> This could easily be enabled by default in bsdcpio and other clients.
Perhaps it's possible to fix it at the level of libarchive instead of
bsdcpio but without full cleaning of bsdtar. I'm not sure what it will take.
OTOH fixing bsdcpio is a small isolated undertaking. Perhaps some folks
will want to backport this fix to previous versions of libarchive&co.
And for a security fix, the smaller the better. So I would appreciate if
you can take a look at my patch. It is surely not ideal -- it's probably
is very not useful on Windows. But it would be nice to know that it
fixes the issue at least on Linux/BSD.
--
Alexander Cherepanov