2006-07-17 Richard Guenther <rguenther@suse.de>
* jartool.c (extract_jar): Do not allow directory traversal
to parents of the extraction root.
From-SVN: r115946
+2006-08-04 Matthias Klose <doko@debian.org>
+
+ PR fastjar/28359 / CVE-2006-3619
+
+ 2006-07-17 Richard Guenther <rguenther@suse.de>
+ * jartool.c (extract_jar): Do not allow directory traversal
+ to parents of the extraction root.
+
2006-03-09 Release Manager
* GCC 4.0.3 released.
const ub1 *start = filename;
char *tmp_buff;
struct stat sbuf;
+ int depth = 0;
tmp_buff = malloc(sizeof(char) * strlen((const char *)filename));
#ifdef DEBUG
printf("checking the existance of %s\n", tmp_buff);
#endif
-
+ if(strcmp(tmp_buff, "..") == 0){
+ --depth;
+ if (depth < 0){
+ fprintf(stderr, "Traversal to parent directories during unpacking!\n");
+ exit(1);
+ }
+ } else if (strcmp(tmp_buff, ".") != 0)
+ ++depth;
if(stat(tmp_buff, &sbuf) < 0){
if(errno != ENOENT){
perror("stat");