diff options
author | Björn Gustavsson <[email protected]> | 2017-04-19 11:43:29 +0200 |
---|---|---|
committer | Björn Gustavsson <[email protected]> | 2017-04-19 11:43:29 +0200 |
commit | b5b5a7f7469bd041959d4b48e4eeff49faa7f377 (patch) | |
tree | a607300c1cbc2c7ea66eaf6e96494b1e0467d149 /lib/stdlib/test | |
parent | 6124bfc9b61227a5e82f1d7273d0895e909aac6e (diff) | |
parent | 05f20a9790fa88011c1ce7099e0a660aa83195a9 (diff) | |
download | otp-b5b5a7f7469bd041959d4b48e4eeff49faa7f377.tar.gz otp-b5b5a7f7469bd041959d4b48e4eeff49faa7f377.tar.bz2 otp-b5b5a7f7469bd041959d4b48e4eeff49faa7f377.zip |
Merge branch 'bjorn/stdlib/erl_tar/OTP-14278'
* bjorn/stdlib/erl_tar/OTP-14278:
erl_tar: Handle leading slashes and directory traversal attacks
Don't create absolute path names in tar files
Diffstat (limited to 'lib/stdlib/test')
-rw-r--r-- | lib/stdlib/test/tar_SUITE.erl | 37 |
1 files changed, 35 insertions, 2 deletions
diff --git a/lib/stdlib/test/tar_SUITE.erl b/lib/stdlib/test/tar_SUITE.erl index 2e1ae7bcff..76fa760fa8 100644 --- a/lib/stdlib/test/tar_SUITE.erl +++ b/lib/stdlib/test/tar_SUITE.erl @@ -27,7 +27,7 @@ extract_from_binary_compressed/1, extract_filtered/1, extract_from_open_file/1, symlinks/1, open_add_close/1, cooked_compressed/1, memory/1,unicode/1,read_other_implementations/1, - sparse/1, init/1]). + sparse/1, init/1, leading_slash/1, dotdot/1]). -include_lib("common_test/include/ct.hrl"). -include_lib("kernel/include/file.hrl"). @@ -41,7 +41,7 @@ all() -> extract_filtered, symlinks, open_add_close, cooked_compressed, memory, unicode, read_other_implementations, - sparse,init]. + sparse,init,leading_slash,dotdot]. groups() -> []. @@ -920,6 +920,39 @@ unicode_create_files() -> [] end]. +leading_slash(Config) -> + PrivDir = proplists:get_value(priv_dir, Config), + Dir = filename:join(PrivDir, ?FUNCTION_NAME), + TarFile = filename:join(Dir, "leading_slash.tar"), + ok = filelib:ensure_dir(TarFile), + {ok,Fd} = erl_tar:open(TarFile, [write]), + TarMemberName = "e/d/c/b/a_member", + TarMemberNameAbs = "/" ++ TarMemberName, + Contents = <<"contents\n">>, + ok = erl_tar:add(Fd, Contents, TarMemberNameAbs, [verbose]), + ok = erl_tar:close(Fd), + + ok = erl_tar:extract(TarFile, [{cwd,Dir}]), + + {ok,Contents} = file:read_file(filename:join(Dir, TarMemberName)), + ok. + +dotdot(Config) -> + PrivDir = proplists:get_value(priv_dir, Config), + Dir = filename:join(PrivDir, ?FUNCTION_NAME), + ok = file:make_dir(Dir), + Tar = filename:join(Dir, "dotdot.tar"), + {ok,Fd} = erl_tar:open(Tar, [write]), + BeamFile = code:which(?MODULE), + ok = erl_tar:add(Fd, BeamFile, "a/./../../some_file", []), + ok = erl_tar:close(Fd), + + {error,{_,unsafe_path=Error}} = erl_tar:extract(Tar, [{cwd,Dir}]), + false = filelib:is_regular(filename:join(PrivDir, "some_file")), + io:format("~s\n", [erl_tar:format_error(Error)]), + + ok. + %% Delete the given list of files. delete_files([]) -> ok; delete_files([Item|Rest]) -> |