kdelibs3/kdelibs-3.5.10-CVE-2016-6232.patch

49 lines
1.9 KiB
Diff

From 261a3b7a126b7a1d28e263085b85bf1905eb4c19 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sl=C3=A1vek=20Banko?= <slavek.banko@axis.cz>
Date: Sun, 23 Oct 2016 10:48:01 +0200
Subject: Fix security issue CVE-2016-6232 Based on
https://quickgit.kde.org/?p=karchive.git&a=commitdiff&h=0cb243f6
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Slávek Banko <slavek.banko@axis.cz>
diff --git a/kio/kio/karchive.cpp b/kio/kio/karchive.cpp
index b0e0dc6..69e54d1 100644
--- a/kio/kio/karchive.cpp
+++ b/kio/kio/karchive.cpp
@@ -601,6 +601,7 @@ void KArchiveDirectory::addEntry( KArchiveEntry* entry )
void KArchiveDirectory::copyTo(const QString& dest, bool recursiveCopy ) const
{
QDir root;
+ const QString destDir(QDir(dest).absPath()); // get directory path without any "." or ".."
PosSortedPtrList fileList;
QMap<int, QString> fileToDir;
@@ -620,10 +621,19 @@ void KArchiveDirectory::copyTo(const QString& dest, bool recursiveCopy ) const
QValueStack<QString> dirNameStack;
dirStack.push( this ); // init stack at current directory
- dirNameStack.push( dest ); // ... with given path
+ dirNameStack.push( destDir ); // ... with given path
do {
curDir = dirStack.pop();
- curDirName = dirNameStack.pop();
+
+ // extract only to specified folder if it is located within archive's extraction folder
+ // otherwise put file under root position in extraction folder
+ QString curDirName = dirNameStack.pop();
+ if (!QDir(curDirName).absPath().startsWith(destDir)) {
+ kdWarning() << "Attempted export into folder" << curDirName
+ << "which is outside of the extraction root folder" << destDir << "."
+ << "Changing export of contained files to extraction root folder.";
+ curDirName = destDir;
+ }
root.mkdir(curDirName);
dirEntries = curDir->entries();
--
cgit v0.10.2