[kaffe] CVS kaffe (tonio): Fix security problem for fastjar reported at :

Tue, 28 Mar 2006 01:07:39 -0800 

PatchSet 7198 
Date: 2006/03/28 08:53:40
Author: tonio
Branch: HEAD
Tag: (none) 
Log:
Fix security problem for fastjar reported at :
http://secunia.com/advisories/14902
confirmed by Dalibor

Use a canonical_filename function as proposed by joerg, since the problem can't
be fixed by realpath, see
http://mail-index.netbsd.org/tech-pkg/2006/03/07/0002.html

Members: 
        external/gcc/fastjar/jartool.c:1.1->1.2 

Index: kaffe/external/gcc/fastjar/jartool.c
diff -u kaffe/external/gcc/fastjar/jartool.c:1.1 
kaffe/external/gcc/fastjar/jartool.c:1.2
--- kaffe/external/gcc/fastjar/jartool.c:1.1    Tue Jan  3 15:27:01 2006
+++ kaffe/external/gcc/fastjar/jartool.c        Tue Mar 28 08:53:40 2006
@@ -1591,6 +1591,31 @@
   return 0;
 }
 
+static void canonical_filename(char *filename)
+{
+    char *iterator, *iterator2;
+
+    for (;;) {
+       if (*filename == '/')
+           memmove(filename, filename + 1, strlen(filename));
+       else if (filename[0] == '.' && filename[1] == '/')
+           memmove(filename, filename + 2, strlen(filename) - 1);
+       else if (filename[0] == '.' && filename[1] == '.' && filename[2] == '/')
+           memmove(filename, filename + 3, strlen(filename) - 2);
+       else if ((iterator = strstr(filename, "//")) != NULL)
+           memmove(iterator, iterator + 1, strlen(iterator));
+       else if ((iterator = strstr(filename, "/./")) != NULL)
+           memmove(iterator, iterator + 2, strlen(iterator) - 1);
+       else if ((iterator = strstr(filename, "/../")) != NULL) {
+           for (iterator2 = iterator - 1; iterator2 > filename && *iterator2 
!= '/'; --iterator2)
+               continue;
+           /* iterator2 >= filename, handle the initial slash above, if 
necessary */
+           memmove(iterator2, iterator + 3, strlen(iterator) - 2);
+       } else
+           break;
+    }
+}
+
 int extract_jar(int fd, char **files, int file_num){
   int rdamt;
   int out_a, in_a;
@@ -1699,6 +1724,13 @@
     pb_read(&pbf, filename, fnlen);
     filename[fnlen] = '\0';
 
+    canonical_filename(filename);
+
+    if (*filename == '\0') {
+       fprintf(stderr, "Error extracting JAR archive, empty file name!\n");
+       exit(1);
+     }
+
 #ifdef DEBUG    
     printf("filename is %s\n", filename);
 #endif
@@ -2007,6 +2039,12 @@
       }
       filename[fnlen] = '\0';
     
+      canonical_filename(filename);
+      if (*filename == '\0') {
+          fprintf(stderr, "Error extracting JAR archive, empty file name!\n");
+          exit(1);
+      }
+
       /* if the user specified a list of files on the command line,
          we'll only display those, otherwise we'll display everything */
       if(file_num > 0){

_______________________________________________
kaffe mailing list
[email protected]
http://kaffe.org/cgi-bin/mailman/listinfo/kaffe

Reply via email to