Module Name:    src
Committed By:   christos
Date:           Sun Jan 12 16:10:49 UTC 2020

Modified Files:
        src/external/bsd/libarchive/dist/libarchive: archive_write_disk_posix.c
        src/external/bsd/libarchive/dist/libarchive/test:
            test_write_disk_secure.c test_write_disk_secure744.c
            test_write_disk_secure746.c
        src/external/bsd/libarchive/dist/tar/test: test_option_U_upper.c
            test_symlink_dir.c

Log Message:
Leave pre-existing symlinks alone on extraction

When libarchive encounters an existing symbolic link during extraction
it removes that symbolic link first before overwriting it, unless
it is told that it can trust symlinks from the archive.

Placing symbolic links on known paths in the extracting subdirectory
is a simple way that a system administrator can place data at a
different location without having the overhead of a mountpoint.

Trusting symlinks from an archive is never safe because they can
maliciously overwrite files outside of the extraction directory.

This patch adds a linked-list to track of the symbolic links that
were created during extraction so that it does not trust them. This
way during extraction, libarchive can remove the symlinks it created,
but leave the pre-existing ones alone.

Unit-tests were adjusted for this new behavior.

(this is pull request 1300)


To generate a diff of this commit:
cvs rdiff -u -r1.2 -r1.3 \
    src/external/bsd/libarchive/dist/libarchive/archive_write_disk_posix.c
cvs rdiff -u -r1.1.1.3 -r1.2 \
    src/external/bsd/libarchive/dist/libarchive/test/test_write_disk_secure.c
cvs rdiff -u -r1.1.1.1 -r1.2 \
    
src/external/bsd/libarchive/dist/libarchive/test/test_write_disk_secure744.c \
    src/external/bsd/libarchive/dist/libarchive/test/test_write_disk_secure746.c
cvs rdiff -u -r1.1.1.2 -r1.2 \
    src/external/bsd/libarchive/dist/tar/test/test_option_U_upper.c
cvs rdiff -u -r1.1.1.3 -r1.2 \
    src/external/bsd/libarchive/dist/tar/test/test_symlink_dir.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Reply via email to