Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:aualin:kde
kdelibs3
kdelibs-3.5.10-CVE-2016-6232.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File kdelibs-3.5.10-CVE-2016-6232.patch of Package kdelibs3
From 261a3b7a126b7a1d28e263085b85bf1905eb4c19 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sl=C3=A1vek=20Banko?= <slavek.banko@axis.cz> Date: Sun, 23 Oct 2016 10:48:01 +0200 Subject: Fix security issue CVE-2016-6232 Based on https://quickgit.kde.org/?p=karchive.git&a=commitdiff&h=0cb243f6 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Slávek Banko <slavek.banko@axis.cz> diff --git a/kio/kio/karchive.cpp b/kio/kio/karchive.cpp index b0e0dc6..69e54d1 100644 --- a/kio/kio/karchive.cpp +++ b/kio/kio/karchive.cpp @@ -601,6 +601,7 @@ void KArchiveDirectory::addEntry( KArchiveEntry* entry ) void KArchiveDirectory::copyTo(const QString& dest, bool recursiveCopy ) const { QDir root; + const QString destDir(QDir(dest).absPath()); // get directory path without any "." or ".." PosSortedPtrList fileList; QMap<int, QString> fileToDir; @@ -620,10 +621,19 @@ void KArchiveDirectory::copyTo(const QString& dest, bool recursiveCopy ) const QValueStack<QString> dirNameStack; dirStack.push( this ); // init stack at current directory - dirNameStack.push( dest ); // ... with given path + dirNameStack.push( destDir ); // ... with given path do { curDir = dirStack.pop(); - curDirName = dirNameStack.pop(); + + // extract only to specified folder if it is located within archive's extraction folder + // otherwise put file under root position in extraction folder + QString curDirName = dirNameStack.pop(); + if (!QDir(curDirName).absPath().startsWith(destDir)) { + kdWarning() << "Attempted export into folder" << curDirName + << "which is outside of the extraction root folder" << destDir << "." + << "Changing export of contained files to extraction root folder."; + curDirName = destDir; + } root.mkdir(curDirName); dirEntries = curDir->entries(); -- cgit v0.10.2
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor