This is the mail archive of the gcc-bugs@gcc.gnu.org mailing list for the GCC project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[Bug fastjar/28359] fastjar directory traversal problem

From: "jakub at redhat dot com" <gcc-bugzilla at gcc dot gnu dot org>
To: gcc-bugs at gcc dot gnu dot org
Date: 17 Jul 2006 12:21:03 -0000
Subject: [Bug fastjar/28359] fastjar directory traversal problem
References: <bug-28359-3760@http.gcc.gnu.org/bugzilla/>
Reply-to: gcc-bugzilla at gcc dot gnu dot org


------- Comment #12 from jakub at redhat dot com  2006-07-17 12:21 -------
The patch in #4 is insufficient.  Consider paths like ././../.././../etc/passwd
which satisfies the depth tests, yet clearly escapes the current dir tree.
Another question is about symlinks, if there is a foo -> ../../../../etc
symlink in the current tree, then I believe fastjar will happily store
foo/passwd into ../../../../etc/passwd, is that something that can be declared
as user's fault or should fastjar always canonicalize the filename and don't
allow leaving the current directory tree in any way?


-- 


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=28359

References:
- [Bug fastjar/28359] New: fastjar directory traversal problem
  - From: marcus at jet dot franken dot de

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]