vbatts/pkg
1
0
Fork 0
Code Pull requests Releases Activity

archive: prevent breakout in ApplyLayer

Browse source 
Signed-off-by: Tibor Vass <teabee89@gmail.com>
This commit is contained in:
Tibor Vass 2014-10-31 13:18:39 -04:00 committed by unclejack
parent b1096c99d2
commit 1f3c20dca4
1 changed files with 8 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
archive/diff.go
View file

@ -24,6 +24,8 @@ func mkdev(major int64, minor int64) uint32 {
// ApplyLayer parses a diff in the standard layer format from `layer`, and
// applies it to the directory `dest`.
func ApplyLayer(dest string, layer ArchiveReader) error {
dest = filepath.Clean(dest)
// We need to be able to set any perms
oldmask := syscall.Umask(0)
defer syscall.Umask(oldmask)
@ -93,6 +95,12 @@ func ApplyLayer(dest string, layer ArchiveReader) error {
path := filepath.Join(dest, hdr.Name)
base := filepath.Base(path)
// Prevent symlink breakout
if !strings.HasPrefix(path, dest) {
return breakoutError(fmt.Errorf("%q is outside of %q", path, dest))
}
if strings.HasPrefix(base, ".wh.") {
originalBase := base[len(".wh."):]
originalPath := filepath.Join(filepath.Dir(path), originalBase)