diff options
author | Eelco Dolstra <edolstra@gmail.com> | 2019-12-13 18:11:37 +0100 |
---|---|---|
committer | Eelco Dolstra <edolstra@gmail.com> | 2019-12-13 19:05:26 +0100 |
commit | 5a6d6da7aea23a48126a77f98612518af66bc203 (patch) | |
tree | d21796b9843e5d87c0786b49acf70fe9ee92eca7 /nix-rust | |
parent | 4581159e3f5a1cc38aa8e90dfd45f0a63354be44 (diff) |
Validate tarball components
Diffstat (limited to 'nix-rust')
-rw-r--r-- | nix-rust/src/c.rs | 5 | ||||
-rw-r--r-- | nix-rust/src/error.rs | 4 | ||||
-rw-r--r-- | nix-rust/src/util/tarfile.rs | 18 |
3 files changed, 22 insertions, 5 deletions
diff --git a/nix-rust/src/c.rs b/nix-rust/src/c.rs index 19e737a88..3feeb71a3 100644 --- a/nix-rust/src/c.rs +++ b/nix-rust/src/c.rs @@ -11,7 +11,10 @@ pub extern "C" fn unpack_tarfile( source: foreign::Source, dest_dir: &str, ) -> CBox<Result<(), error::CppException>> { - CBox::new(util::tarfile::unpack_tarfile(source, dest_dir).map_err(|err| err.into())) + CBox::new( + util::tarfile::unpack_tarfile(source, std::path::Path::new(dest_dir)) + .map_err(|err| err.into()), + ) } #[no_mangle] diff --git a/nix-rust/src/error.rs b/nix-rust/src/error.rs index c2ba5d504..586a8f53d 100644 --- a/nix-rust/src/error.rs +++ b/nix-rust/src/error.rs @@ -23,6 +23,7 @@ pub enum Error { HttpError(hyper::error::Error), Misc(String), Foreign(CppException), + BadTarFileMemberName(String), } impl From<std::io::Error> for Error { @@ -64,6 +65,9 @@ impl fmt::Display for Error { Error::HttpError(err) => write!(f, "HTTP error: {}", err), Error::Foreign(_) => write!(f, "<C++ exception>"), // FIXME Error::Misc(s) => write!(f, "{}", s), + Error::BadTarFileMemberName(s) => { + write!(f, "tar archive contains illegal file name '{}'", s) + } } } } diff --git a/nix-rust/src/util/tarfile.rs b/nix-rust/src/util/tarfile.rs index 379d9098f..74d60692c 100644 --- a/nix-rust/src/util/tarfile.rs +++ b/nix-rust/src/util/tarfile.rs @@ -2,18 +2,28 @@ use crate::{foreign::Source, Error}; use std::fs; use std::io; use std::os::unix::fs::OpenOptionsExt; -use std::path::Path; +use std::path::{Component, Path}; use tar::Archive; -pub fn unpack_tarfile(source: Source, dest_dir: &str) -> Result<(), Error> { - let dest_dir = Path::new(dest_dir); +pub fn unpack_tarfile(source: Source, dest_dir: &Path) -> Result<(), Error> { + fs::create_dir_all(dest_dir)?; let mut tar = Archive::new(source); for file in tar.entries()? { let mut file = file?; - let dest_file = dest_dir.join(file.path()?); + let path = file.path()?; + + for i in path.components() { + if let Component::Prefix(_) | Component::RootDir | Component::ParentDir = i { + return Err(Error::BadTarFileMemberName( + file.path()?.to_str().unwrap().to_string(), + )); + } + } + + let dest_file = dest_dir.join(path); fs::create_dir_all(dest_file.parent().unwrap())?; |