Re: pkg/55684 (Absolute & relative directory traversal with archivers/zoo)

To: gnats-bugs%netbsd.org@localhost
Subject: Re: pkg/55684 (Absolute & relative directory traversal with archivers/zoo)
From: Joerg Sonnenberger <joerg%bec.de@localhost>
Date: Sun, 4 Oct 2020 20:28:08 +0200

On Sun, Oct 04, 2020 at 10:40:01AM +0000, Martin Husemann wrote:
>  +   /* remove all "../" inside filename */
>  +   while ((p = strstr( fname, "../" )) != NULL) {
>  +      l = strlen(p+3);
>  +      if (l == 0)
>  +        *p = 0;
>  +      else
>  +         memmove(p, p+3, l);
>  +   }

This doesn't seem to be correct. It should remove "../" from the start
of the path and "/../" anywhere else. foo../ is a valid path name.

Joerg

Follow-Ups:
- Re: pkg/55684 (Absolute & relative directory traversal with archivers/zoo)
  - From: stegozor

References:
- Re: pkg/55684 (Absolute & relative directory traversal with archivers/zoo)
  - From: Martin Husemann

Prev by Date: Re: pkg/55684 (Absolute & relative directory traversal with archivers/zoo)
Next by Date: Re: pkg/55684 (Absolute & relative directory traversal with archivers/zoo)
Previous by Thread: Re: pkg/55684 (Absolute & relative directory traversal with archivers/zoo)
Next by Thread: Re: pkg/55684 (Absolute & relative directory traversal with archivers/zoo)
Indexes:

Home | Main Index | Thread Index | Old Index