aboutsummaryrefslogtreecommitdiff
path: root/archivers/unzip
diff options
context:
space:
mode:
authorAndrey A. Chernov <ache@FreeBSD.org>2003-07-28 14:43:08 +0000
committerAndrey A. Chernov <ache@FreeBSD.org>2003-07-28 14:43:08 +0000
commit813a18686646f3ed0dd1d34d844e5b7dee20ce88 (patch)
treecce574c66934a684dbdafc1908515f4107cac43e /archivers/unzip
parentcc0aa3e75a5bad228a487d89d4594e5ce461cf93 (diff)
downloadports-813a18686646f3ed0dd1d34d844e5b7dee20ce88.tar.gz
ports-813a18686646f3ed0dd1d34d844e5b7dee20ce88.zip
Close vulnerability with control char between two dots.
Allow 255 char in file names.
Notes
Notes: svn path=/head/; revision=85735
Diffstat (limited to 'archivers/unzip')
-rw-r--r--archivers/unzip/Makefile1
-rw-r--r--archivers/unzip/files/patch-ab90
2 files changed, 91 insertions, 0 deletions
diff --git a/archivers/unzip/Makefile b/archivers/unzip/Makefile
index 05fadfad2b30..feba65b0e802 100644
--- a/archivers/unzip/Makefile
+++ b/archivers/unzip/Makefile
@@ -7,6 +7,7 @@
PORTNAME= unzip
PORTVERSION= 5.50
+PORTREVISION= 1
CATEGORIES= archivers
MASTER_SITES= ftp://ftp.info-zip.org/pub/infozip/src/ \
${MASTER_SITE_TEX_CTAN:S,%SUBDIR%,tools/zip/info-zip/src/,}
diff --git a/archivers/unzip/files/patch-ab b/archivers/unzip/files/patch-ab
new file mode 100644
index 000000000000..6a26c3569609
--- /dev/null
+++ b/archivers/unzip/files/patch-ab
@@ -0,0 +1,90 @@
+--- unix/unix.c.orig Tue Jan 22 01:54:42 2002
++++ unix/unix.c Mon Jul 28 18:36:17 2003
+@@ -421,7 +421,8 @@
+ */
+ {
+ char pathcomp[FILNAMSIZ]; /* path-component buffer */
+- char *pp, *cp=(char *)NULL; /* character pointers */
++ char *pp, *cp=(char *)NULL, /* character pointers */
++ *dp=(char *)NULL;
+ char *lastsemi=(char *)NULL; /* pointer to last semi-colon in pathcomp */
+ #ifdef ACORN_FTYPE_NFS
+ char *lastcomma=(char *)NULL; /* pointer to last comma in pathcomp */
+@@ -429,6 +430,7 @@
+ #endif
+ int quote = FALSE; /* flags */
+ int killed_ddot = FALSE; /* is set when skipping "../" pathcomp */
++ int snarf_ddot = FALSE; /* Is set while scanning for "../" */
+ int error = MPN_OK;
+ register unsigned workch; /* hold the character being tested */
+
+@@ -467,6 +469,9 @@
+ while ((workch = (uch)*cp++) != 0) {
+
+ if (quote) { /* if character quoted, */
++ if ((pp == pathcomp) && (workch == '.'))
++ /* Oh no you don't... */
++ goto ddot_hack;
+ *pp++ = (char)workch; /* include it literally */
+ quote = FALSE;
+ } else
+@@ -481,15 +486,44 @@
+ break;
+
+ case '.':
+- if (pp == pathcomp) { /* nothing appended yet... */
++ if (pp == pathcomp) {
++ddot_hack:
++ /* nothing appended yet... */
+ if (*cp == '/') { /* don't bother appending "./" to */
+ ++cp; /* the path: skip behind the '/' */
+ break;
+- } else if (!uO.ddotflag && *cp == '.' && cp[1] == '/') {
+- /* "../" dir traversal detected */
+- cp += 2; /* skip over behind the '/' */
+- killed_ddot = TRUE; /* set "show message" flag */
+- break;
++ } else if (!uO.ddotflag) {
++
++ /*
++ * SECURITY: Skip past control characters if the user
++ * didn't OK use of absolute pathnames. lhh - this is
++ * a very quick, ugly, inefficient fix.
++ */
++ dp = cp;
++ do {
++ workch = (uch)(*dp);
++ if (workch == '/' && snarf_ddot) {
++ /* "../" dir traversal detected */
++ cp = dp + 1; /* skip past the '/' */
++ killed_ddot = TRUE; /* set "show msg" flag */
++ break;
++ } else if (workch == '.' && !snarf_ddot) {
++ snarf_ddot = TRUE;
++ } else if (isprint(workch) ||
++ ((workch > 127) && (workch <= 255))) {
++ /*
++ * Since we found a printable, non-ctrl char,
++ * we can stop looking for '../', the amount
++ * in ../!
++ */
++ break;
++ }
++
++ dp++;
++ } while (*dp != 0);
++
++ if (killed_ddot)
++ break;
+ }
+ }
+ *pp++ = '.';
+@@ -519,7 +553,7 @@
+
+ default:
+ /* allow European characters in filenames: */
+- if (isprint(workch) || (128 <= workch && workch <= 254))
++ if (isprint(workch) || (128 <= workch && workch <= 255))
+ *pp++ = (char)workch;
+ } /* end switch */
+