On Sun, Dec 28, 2014 at 02:46:15AM +0300, Alexander Cherepanov wrote: > There is a directory traversal in `ar`: > > # printf '!<arch>\n%-48s%-10s`\n//file/\n%-48s%-10s`\n' // 8 /1 0 > test.a > # ar -xv test.a > x - /file > > Patch attached.
Thanks, but I think we need a bit more background. Unfortunately the ar archive format and long names format are not very well documented. And there seem to be various different formats. What our implementation follows is what I believe is the sysv format, which terminates long names with a '/' and LF. So the current implementation searches for a '/' and then creates a terminated (NUL) string, and skips the LF (we don't actually check there is a LF). You do terminate the string at a '/' but then start searching for the next long name at the LF (which in your example isn't there). So if I understand correctly we would still not support directories in ar files. But maybe that is not the point of your patch? Is your example something that is actually produced by another ar implementation? Or is it an example of a bad long file name that we don't handle properly? Thanks, Mark BTW. For patches we require people to follow the guidelines in the CONTRIBUTING file (in particular we require a Signed-off-by line): https://git.fedorahosted.org/cgit/elfutils.git/tree/CONTRIBUTING
