diff options
author | Slávek Banko <[email protected]> | 2016-10-23 10:48:01 +0200 |
---|---|---|
committer | Slávek Banko <[email protected]> | 2016-10-23 10:48:01 +0200 |
commit | 261a3b7a126b7a1d28e263085b85bf1905eb4c19 (patch) | |
tree | fbc92312e421a0a4a05b0c02621b7316122d8ff4 /tdeio | |
parent | f3fadb884d08b74d5796f7d1b6ad2c2a2316c0f4 (diff) | |
download | tdelibs-261a3b7a126b7a1d28e263085b85bf1905eb4c19.tar.gz tdelibs-261a3b7a126b7a1d28e263085b85bf1905eb4c19.zip |
Fix security issue CVE-2016-6232
Based on https://quickgit.kde.org/?p=karchive.git&a=commitdiff&h=0cb243f6
Signed-off-by: Slávek Banko <[email protected]>
Diffstat (limited to 'tdeio')
-rw-r--r-- | tdeio/tdeio/karchive.cpp | 14 |
1 files changed, 12 insertions, 2 deletions
diff --git a/tdeio/tdeio/karchive.cpp b/tdeio/tdeio/karchive.cpp index b0e0dc6ab..69e54d1b2 100644 --- a/tdeio/tdeio/karchive.cpp +++ b/tdeio/tdeio/karchive.cpp @@ -601,6 +601,7 @@ void KArchiveDirectory::addEntry( KArchiveEntry* entry ) void KArchiveDirectory::copyTo(const TQString& dest, bool recursiveCopy ) const { TQDir root; + const TQString destDir(TQDir(dest).absPath()); // get directory path without any "." or ".." PosSortedPtrList fileList; TQMap<int, TQString> fileToDir; @@ -620,10 +621,19 @@ void KArchiveDirectory::copyTo(const TQString& dest, bool recursiveCopy ) const TQValueStack<TQString> dirNameStack; dirStack.push( this ); // init stack at current directory - dirNameStack.push( dest ); // ... with given path + dirNameStack.push( destDir ); // ... with given path do { curDir = dirStack.pop(); - curDirName = dirNameStack.pop(); + + // extract only to specified folder if it is located within archive's extraction folder + // otherwise put file under root position in extraction folder + TQString curDirName = dirNameStack.pop(); + if (!TQDir(curDirName).absPath().startsWith(destDir)) { + kdWarning() << "Attempted export into folder" << curDirName + << "which is outside of the extraction root folder" << destDir << "." + << "Changing export of contained files to extraction root folder."; + curDirName = destDir; + } root.mkdir(curDirName); dirEntries = curDir->entries(); |