When CONFIG_FEATURE_PATH_TRAVERSAL_PROTECTION is set to y, the following cpio test fails:
====================== echo -ne '' >input echo -ne '' | (cd cpio.testdir/prepare/inner && echo -e '../dont_write to_extract' | cpio -o -H newc) | (cd cpio.testdir/extract && cpio -vi 2>&1) echo $? ls cpio.testdir/dont_write 2>&1 cpio: -e ../dont_write: No such file or directory FAIL: cpio extract file outside of destination --- expected +++ actual @@ -1,6 +1,2 @@ -cpio: removing leading '../' from member names -../dont_write -to_extract -1 blocks 0 ls: cpio.testdir/dont_write: No such file or directory This is because 9a8796436b9b0641e13480811902ea2ac57881d3 "archival: disallow path traversals (CVE-2023-39810)" is using the wrong "echo" when doing things: (cd cpio.testdir/prepare/inner && echo -e '../dont_write\nto_extract'... it should be using $ECHO, not echo here, as is used everywhere else when -e/-n is in use. The fix is trivial -- s/echo -/\$ECHO -/ in thst line. Thanks, /mjt _______________________________________________ busybox mailing list [email protected] https://lists.busybox.net/mailman/listinfo/busybox
