Attachment #34772 for bug #65793

View | Details | Raw Unified | Return to bug 65793
Collapse All | Expand All

Lines 35-46 Link Here

(-)unace1.2b.orig/uac_crt.c (-4 / +58 lines)
35		35
36	/* gets file name from header	36	/* gets file name from header
37	*/	37	*/
38	CHAR ace_fname(CHAR s, thead * head, INT nopath)	38	CHAR ace_fname(CHAR s, thead * head, INT nopath, unsigned int size)
39	{	39	{
40	INT i;	40	unsigned int i;
41	char *cp;	41	char *cp;
42		42
43	strncpy(s, ((tfhead ) head).FNAME, i = ((tfhead ) head).FNAME_SIZE);	43	i = ((tfhead ) head).FNAME_SIZE;
		44	if (i > (size - 1))
		45	i = size - 1;
		46	strncpy(s, ((tfhead ) head).FNAME, i);
44	s[i] = 0;	47	s[i] = 0;
45		48
46	if (nopath)	49	if (nopath)
Lines 58-79 Link Here
58	}	61	}
59	#endif	62	#endif
60		63
		64	cp = s;
		65	while (*cp == '/') cp++;
		66	if (cp != s)
		67	memmove(s, cp, strlen(cp) + 1);
		68
61	return s;	69	return s;
62	}	70	}
63		71
		72	int is_directory_traversal(char *str)
		73	{
		74	unsigned int mode, countdots;
		75	/* mode 0 = fresh, 1 = just dots, 2 = not just dots */
		76
		77	mode = countdots = 0;
		78
		79	while (*str)
		80	{
		81	char ch = *str++;
		82
		83	if ((ch == '/') && (mode == 1) && (countdots > 1))
		84	return 1;
		85
		86	if (ch == '/')
		87	{
		88	mode = countdots = 0;
		89	continue;
		90	}
		91
		92	if (ch == '.')
		93	{
		94	if (mode == 0)
		95	mode = 1;
		96
		97	countdots++;
		98	}
		99	else
		100	mode = 2;
		101	}
		102
		103	if ((mode == 1) && (countdots > 1))
		104	return 1;
		105
		106	return 0;
		107	}
		108
64	void check_ext_dir(CHAR * f) // checks/creates path of file	109	void check_ext_dir(CHAR * f) // checks/creates path of file
65	{	110	{
66	CHAR *cp,	111	CHAR *cp,
67	d[PATH_MAX];	112	d[PATH_MAX];
68	INT i;	113	unsigned int i;
69		114
70	d[0] = 0;	115	d[0] = 0;
71		116
		117	if (is_directory_traversal(f))
		118	{
		119	f_err = ERR_WRITE;
		120	printf("\n Directory traversal attempt: %s\n", f);
		121	return;
		122	}
		123
72	for (;;)	124	for (;;)
73	{	125	{
74	if ((cp = (CHAR *) strchr(&f[strlen(d) + 1], DIRSEP))!=NULL)	126	if ((cp = (CHAR *) strchr(&f[strlen(d) + 1], DIRSEP))!=NULL)
75	{	127	{
76	i = cp - f;	128	i = cp - f;
		129	if (i > (PATH_MAX - 1))
		130	i = PATH_MAX - 1;
77	strncpy(d, f, i);	131	strncpy(d, f, i);
78	d[i] = 0;	132	d[i] = 0;
79	}	133	}

Lines 8-14 Link Here

(-)unace1.2b.orig/uac_crt.h (-1 / +1 lines)
8		8
9	#include "acestruc.h"	9	#include "acestruc.h"
10		10
11	CHAR ace_fname(CHAR s, thead * head, INT nopath);	11	CHAR ace_fname(CHAR s, thead * head, INT nopath, unsigned int size);
12	INT create_dest_file(CHAR * file, INT a);	12	INT create_dest_file(CHAR * file, INT a);
13		13
14	#ifdef UNIX	14	#ifdef UNIX

Lines 242-247 Link Here

(-)unace1.2b.orig/unace.c (-6 / +11 lines)
242	INT open_archive(INT print_err) // opens archive (or volume)	242	INT open_archive(INT print_err) // opens archive (or volume)
243	{	243	{
244	CHAR av_str[80];	244	CHAR av_str[80];
		245	unsigned int copylen;
245		246
246	archan = open(aname, O_RDONLY \| O_BINARY); // open file	247	archan = open(aname, O_RDONLY \| O_BINARY); // open file
247		248
Lines 265-272 Link Here
265	sprintf(av_str, "\ncreated on %d.%d.%d by ",	266	sprintf(av_str, "\ncreated on %d.%d.%d by ",
266	ts_day(adat.time_cr), ts_month(adat.time_cr), ts_year(adat.time_cr));	267	ts_day(adat.time_cr), ts_month(adat.time_cr), ts_year(adat.time_cr));
267	printf(av_str);	268	printf(av_str);
268	strncpy(av_str, mhead.AV, mhead.AV_SIZE);	269	copylen = mhead.AV_SIZE;
269	av_str[mhead.AV_SIZE] = 0;	270	if (copylen > 79)
		271	copylen = 79;
		272	strncpy(av_str, mhead.AV, copylen);
		273	av_str[copylen] = 0;
270	printf("%s\n\n", av_str);	274	printf("%s\n\n", av_str);
271	}	275	}
272	comment_out("Main comment:"); // print main comment	276	comment_out("Main comment:"); // print main comment
Lines 302-308 Link Here
302	INT proc_vol(void) // opens volume	306	INT proc_vol(void) // opens volume
303	{	307	{
304	INT i;	308	INT i;
305	CHAR s[80];	309	CHAR s[PATH_MAX + 80];
306		310
307	// if f_allvol_pr is 2 we have -y and should never ask	311	// if f_allvol_pr is 2 we have -y and should never ask
308	if ((!fileexists_insense(aname) && f_allvol_pr != 2) \|\| !f_allvol_pr)	312	if ((!fileexists_insense(aname) && f_allvol_pr != 2) \|\| !f_allvol_pr)
Lines 430-436 Link Here
430	if (head.HEAD_TYPE == FILE_BLK)	434	if (head.HEAD_TYPE == FILE_BLK)
431	{	435	{
432	comment_out("File comment:"); // show file comment	436	comment_out("File comment:"); // show file comment
433	ace_fname(file, &head, nopath); // get file name	437	ace_fname(file, &head, nopath, sizeof(file)); // get file name
434	printf("\n%s", file);	438	printf("\n%s", file);
435	flush;	439	flush;
436	dcpr_init_file(); // initialize decompression of file	440	dcpr_init_file(); // initialize decompression of file
Lines 498-504 Link Here
498	if (head.HEAD_TYPE == FILE_BLK)	502	if (head.HEAD_TYPE == FILE_BLK)
499	{	503	{
500	ULONG ti=fhead.FTIME;	504	ULONG ti=fhead.FTIME;
501	ace_fname(file, &head, verbose ? 0 : 1); // get file name	505	ace_fname(file, &head, verbose ? 0 : 1, sizeof(file)); // get file name
502		506
503	size += fhead.SIZE;	507	size += fhead.SIZE;
504	psize +=	508	psize +=
Lines 590-596 Link Here
590		594
591	init_unace(); // initialize unace	595	init_unace(); // initialize unace
592		596
593	strcpy(aname, argv[arg_cnt]); // get archive name	597	strncpy(aname, argv[arg_cnt], sizeof(aname) - 4); // get archive name
		598	aname[sizeof(aname) - 5] = '\0';
594	if (!(s = (CHAR *) strrchr(aname, DIRSEP)))	599	if (!(s = (CHAR *) strrchr(aname, DIRSEP)))
595	s = aname;	600	s = aname;
596	if (!strrchr(s, '.'))	601	if (!strrchr(s, '.'))

Return to bug 65793