libarchive: do not extract unsafe symlinks unless $EXTRACT_UNSAFE_SYMLINKS=1

function old new delta unsafe_symlink_target - 147 +147 unzip_main 2711 2732 +21 copy_file 1657 1678 +21 tar_main 999 971 -28 data_extract_all 1038 984 -54 ------------------------------------------------------------------------------ (add/remove: 2/0 grow/shrink: 2/2 up/down: 189/-82) Total: 107 bytes Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
author: Denys Vlasenko 2017-08-10 11:52:42 +0200
committer: Denys Vlasenko 2017-08-10 11:52:42 +0200
commit: bc9bbeb2b81001e8731cd2ae501c8fccc8d87cc7 (patch)
tree: 72672bb0c187b93f1fba99012cf0c4e716214298 /archival/unzip.c
parent: 0cf64c8b5d86d603903397bfce87dea5a862caec (diff)
download: busybox-bc9bbeb2b81001e8731cd2ae501c8fccc8d87cc7.zip
busybox-bc9bbeb2b81001e8731cd2ae501c8fccc8d87cc7.tar.gz
1 files changed, 8 insertions, 2 deletions
diff --git a/archival/unzip.c b/archival/unzip.c
index 8ed9ae7..6041660 100644
--- a/archival/unzip.c
+++ b/archival/unzip.c
@@ -368,9 +368,15 @@ static void unzip_extract_symlink(zip_header_t *zip, const char *dst_fn)
 		target[xstate.mem_output_size] = '\0';
 #endif
 	}
+	if (!unsafe_symlink_target(target)) {
 //TODO: libbb candidate
-	if (symlink(target, dst_fn))
-		bb_perror_msg_and_die("can't create symlink '%s'", dst_fn);
+		if (symlink(target, dst_fn)) {
+			/* shared message */
+			bb_perror_msg_and_die("can't create %slink '%s' to '%s'",
+				"sym", dst_fn, target
+			);
+		}
+	}
 	free(target);
 }
 #endif
author	Denys Vlasenko	2017-08-10 11:52:42 +0200
committer	Denys Vlasenko	2017-08-10 11:52:42 +0200
commit	bc9bbeb2b81001e8731cd2ae501c8fccc8d87cc7 (patch)
tree	72672bb0c187b93f1fba99012cf0c4e716214298 /archival/unzip.c
parent	0cf64c8b5d86d603903397bfce87dea5a862caec (diff)
download	busybox-bc9bbeb2b81001e8731cd2ae501c8fccc8d87cc7.zip busybox-bc9bbeb2b81001e8731cd2ae501c8fccc8d87cc7.tar.gz