* src/lhext.c (extract_one, is_directory_traversal): applied a

security patch (CAN-2004-0235: directory traversal problems)

git-svn-id: svn+ssh://svn.sourceforge.jp/svnroot/lha/lha/trunk@783 6a8cc165-1e22-0410-a132-eb4e3f353aba

diff --git a/src/lhext.c b/src/lhext.c
index 15f2653..3fdbd65 100644 (file)
--- a/src/lhext.c
+++ b/src/lhext.c
@@ -225,8 +225,14 @@ extract_one(afp, hdr)
         q = (char *) strrchr(hdr->name, '/') + 1;
     }
     else {
+        if (is_directory_traversal(q)) {
+            fprintf(stderr, "Possible directory traversal hack attempt in %s\n", q);
+            exit(111);
+        }
+
         if (*q == '/') {
-            q++;
+            while (*q == '/') { q++; }
+
             /*
              * if OSK then strip device name
              */
@@ -479,6 +485,33 @@ cmd_extract()
     return;
 }
 
+int
+is_directory_traversal(char *string)
+{
+    unsigned int type = 0; /* 0 = new, 1 = only dots, 2 = other chars than dots */
+    char *temp;
+
+    temp = string;
+
+    while (*temp != 0) {
+        if (temp[0] == '/') {
+            if (type == 1) { return 1; }
+            type = 0;
+            temp++;
+            continue;
+        }
+
+        if ((temp[0] == '.') && (type < 2))
+            type = 1;
+        if (temp[0] != '.')
+            type = 2;
+
+        temp++;
+    } /* while */
+
+    return (type == 1);
+}
+
 /*
  * restore directory information (time stamp).
  * added by A.Iriyama  2003.12.12