From 997aa99e3df068656aeca006c032538f98ea1c66 Mon Sep 17 00:00:00 2001
From: Timo Teräs <timo.teras@iki.fi>
Date: Fri, 24 Apr 2015 09:54:54 +0300
Subject: do not extract files with malicious name

the security implications are not as high as compared to regular
tar/unzip archiver. this is because you are anyway trusting
the package to install files anywhere in the filesystem.

this serves rather as a sanity to check against errors in created
package.
---
 src/database.c | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

(limited to 'src/database.c')

diff --git a/src/database.c b/src/database.c
index 0f0496b..c814957 100644
--- a/src/database.c
+++ b/src/database.c
@@ -2258,8 +2258,21 @@ static int apk_db_install_archive_entry(void *_ctx,
 	if (r <= 0)
 		return r;
 
-	/* Package metainfo and script processing */
 	r = 0;
+
+	/* Sanity check the file name */
+	if (ae->name[0] == '/' ||
+	    strncmp(ae->name, "/./"+1, 3) == 0 ||
+	    strncmp(ae->name, "/../"+1, 3) == 0 ||
+	    strstr(ae->name, "/./") ||
+	    strstr(ae->name, "/../")) {
+		apk_warning(PKG_VER_FMT": ignoring malicious file %s",
+			    PKG_VER_PRINTF(pkg), ae->name);
+		ipkg->broken_files = 1;
+		return 0;
+	}
+
+	/* Package metainfo and script processing */
 	if (ae->name[0] == '.') {
 		/* APK 2.0 format */
 		if (strcmp(ae->name, ".PKGINFO") == 0) {
-- 
cgit v1.2.3-60-g2f50