archive/tar: validate Linkname for insecure paths in Reader.Next#79130
archive/tar: validate Linkname for insecure paths in Reader.Next#79130metsw24-max wants to merge 2 commits into
Conversation
|
This PR (HEAD: b021885) has been imported to Gerrit for code review. Please visit Gerrit at https://go-review.googlesource.com/c/go/+/772900. Important tips:
|
|
Message from Gopher Robot: Patch Set 1: (1 comment) Please don’t reply on this GitHub thread. Visit golang.org/cl/772900. |
|
Message from Gopher Robot: Patch Set 1: Congratulations on opening your first change. Thank you for your contribution! Next steps: Most changes in the Go project go through a few rounds of revision. This can be During May-July and Nov-Jan the Go project is in a code freeze, during which Please don’t reply on this GitHub thread. Visit golang.org/cl/772900. |
|
Updated the PR title and description per the robot's findings: added the archive/tar package prefix, wrapped the body at ~76 columns and referenced #55356. Also pushed a follow-up commit that reuses the existing filepath.IsLocal check for Linkname (the separate Clean step was redundant) and fixes formatting, so the change is now a fair bit smaller. |
|
This PR (HEAD: 5c96d9b) has been imported to Gerrit for code review. Please visit Gerrit at https://go-review.googlesource.com/c/go/+/772900. Important tips:
|
|
This PR is being closed because golang.org/cl/772900 has been abandoned. Sorry, but this isn't a change we should make. |
The archive/tar Reader validates Header.Name for insecure paths when
GODEBUG=tarinsecurepath=0, but does not apply the same validation to
Header.Linkname.
This means an entry can pass the Header.Name check while carrying a
crafted Linkname that bypasses the intended path safety checks. Since
Header.Linkname is used when creating symlinks and hard links, it can
influence filesystem resolution during extraction in common usage
patterns, so it is equally security-sensitive.
Validate Header.Linkname with filepath.IsLocal in Reader.Next, matching
the existing Header.Name check, and return ErrInsecurePath when it is
non-local. Empty link names are skipped. Also add a regression test to
ensure an insecure Linkname triggers ErrInsecurePath without affecting
subsequent entries.
Updates #55356