[pkgsrc/trunk]: pkgsrc/archivers/fastjar Normalise path names as relative und...

To: pkgsrc-changes-hg%NetBSD.org@localhost
Subject: [pkgsrc/trunk]: pkgsrc/archivers/fastjar Normalise path names as relative und...
From: joerg <joerg%pkgsrc.org@localhost>
Date: Thu, 14 Oct 2021 03:12:19 +0000

details:   https://anonhg.NetBSD.org/pkgsrc/rev/59069b63fbeb
branches:  trunk
changeset: 509767:59069b63fbeb
user:      joerg <joerg%pkgsrc.org@localhost>
date:      Tue Mar 14 14:02:01 2006 +0000

description:
Normalise path names as relative under cwd as if they would have been
extracted under chroot. Don't attempt to deal with existing symlinks
to directories. This prevents directory traversal and therefore the
creation of arbitrary files. Bump revision.

diffstat:

 archivers/fastjar/Makefile         |   4 +-
 archivers/fastjar/distinfo         |   4 +-
 archivers/fastjar/patches/patch-ad |  54 +++++++++++++++++++++++++++++++++++--
 3 files changed, 55 insertions(+), 7 deletions(-)

diffs (93 lines):

diff -r 1d31b49bc397 -r 59069b63fbeb archivers/fastjar/Makefile
--- a/archivers/fastjar/Makefile        Tue Mar 14 13:56:12 2006 +0000
+++ b/archivers/fastjar/Makefile        Tue Mar 14 14:02:01 2006 +0000
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.14 2006/03/04 21:28:52 jlam Exp $
+# $NetBSD: Makefile,v 1.15 2006/03/14 14:02:01 joerg Exp $
 #
 
 DISTNAME=      fastjar-0.93
-PKGREVISION=   2
+PKGREVISION=   3
 CATEGORIES=    archivers
 MASTER_SITES=  ${MASTER_SITE_SOURCEFORGE:=fastjar/}
 EXTRACT_SUFX=  .tgz
diff -r 1d31b49bc397 -r 59069b63fbeb archivers/fastjar/distinfo
--- a/archivers/fastjar/distinfo        Tue Mar 14 13:56:12 2006 +0000
+++ b/archivers/fastjar/distinfo        Tue Mar 14 14:02:01 2006 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.10 2005/12/01 17:01:25 rillig Exp $
+$NetBSD: distinfo,v 1.11 2006/03/14 14:02:01 joerg Exp $
 
 SHA1 (fastjar-0.93.tgz) = 74acc8e8a920ea6da18a180cd0a691c5d7c4699f
 RMD160 (fastjar-0.93.tgz) = 1627f2316cc7bca6a477011d1b812b140900d987
@@ -6,4 +6,4 @@
 SHA1 (patch-aa) = 12cc5397a89c18d239164caa3955121ca6d01de0
 SHA1 (patch-ab) = c13f46e1a3e60a3bbe656af609a5c9fb047a4ca3
 SHA1 (patch-ac) = ce8eefb978a93d0043f8b98fbf4049f022ce663c
-SHA1 (patch-ad) = 3d0a5c0afc02b1bee58c415f3b3f2691d0e0dcda
+SHA1 (patch-ad) = c988c11e01c364d94a7a12c3eb4dc933b12861a0
diff -r 1d31b49bc397 -r 59069b63fbeb archivers/fastjar/patches/patch-ad
--- a/archivers/fastjar/patches/patch-ad        Tue Mar 14 13:56:12 2006 +0000
+++ b/archivers/fastjar/patches/patch-ad        Tue Mar 14 14:02:01 2006 +0000
@@ -1,9 +1,57 @@
-$NetBSD: patch-ad,v 1.4 2005/12/01 17:01:25 rillig Exp $
+$NetBSD: patch-ad,v 1.5 2006/03/14 14:02:01 joerg Exp $
 
---- jartool.c.orig     2001-01-11 00:38:15.000000000 -0800
+--- jartool.c.orig     2001-01-11 09:38:15.000000000 +0100
 +++ jartool.c
-@@ -171,4 +171,2 @@
+@@ -171,4 +171,2 @@ static char rcsid[] = "$Id: jartool.c,v 
  
 -extern int errno;
 -
  void usage(char*);
+@@ -1143,2 +1141,27 @@ int create_central_header(int fd){
+ 
++static void canonical_filename(char *filename)
++{
++    char *iterator, *iterator2;
++
++    for (;;) {
++      if (*filename == '/')
++          memmove(filename, filename + 1, strlen(filename));
++      else if (filename[0] == '.' && filename[1] == '/')
++          memmove(filename, filename + 2, strlen(filename) - 1);
++      else if (filename[0] == '.' && filename[1] == '.' && filename[2] == '/')
++          memmove(filename, filename + 3, strlen(filename) - 2);
++      else if ((iterator = strstr(filename, "//")) != NULL)
++          memmove(iterator, iterator + 1, strlen(iterator));
++      else if ((iterator = strstr(filename, "/./")) != NULL)
++          memmove(iterator, iterator + 2, strlen(iterator) - 1);
++      else if ((iterator = strstr(filename, "/../")) != NULL) {
++          for (iterator2 = iterator - 1; iterator2 > filename && *iterator2 != '/'; --iterator2)
++              continue;
++          /* iterator2 >= filename, handle the initial slash above, if necessary */
++          memmove(iterator2, iterator + 3, strlen(iterator) - 2);
++      } else
++          break;
++    }
++}
++
+ int extract_jar(int fd, char **files, int file_num){
+@@ -1251,2 +1274,9 @@ int extract_jar(int fd, char **files, in
+ 
++     canonical_filename(filename);
++
++     if (*filename == '\0') {
++        fprintf(stderr, "Error extracting JAR archive, empty file name!\n");
++        exit(1);
++      }
++
+ #ifdef DEBUG    
+@@ -1563,2 +1593,9 @@ int list_jar(int fd, char **files, int f
+       filename[fnlen] = '\0';
++
++      canonical_filename(filename);
++      if (*filename == '\0') {
++          fprintf(stderr, "Error extracting JAR archive, empty file name!\n");
++          exit(1);
++      }
++
+

Prev by Date: [pkgsrc/trunk]: pkgsrc/doc Note update of "gtk2" package to version 2.8.14nb1.
Next by Date: [pkgsrc/trunk]: pkgsrc/doc/guide/files For solving the Solaris/libtool proble...
Previous by Thread: [pkgsrc/trunk]: pkgsrc/doc Note update of "gtk2" package to version 2.8.14nb1.
Next by Thread: [pkgsrc/trunk]: pkgsrc/doc/guide/files For solving the Solaris/libtool proble...
Indexes:

Home | Main Index | Thread Index | Old Index