From 867c88dadccff6e285c48dadccb61f9001b50d9b Mon Sep 17 00:00:00 2001 From: Raphael Hertzog Date: Tue, 18 Mar 2008 17:39:08 +0100 Subject: [PATCH] Avoid extracting files through symlinks * scripts/Dpkg/Source/Package/V2_0.pm (do_extract): Now that the debian tarball is extracted in-place over the unpacked source directory, it's important to not let tar unpack files in symlinked directories (otherwise it would be possible to write files outside of the unpacked source tree). --- scripts/Dpkg/Source/Package/V2_0.pm | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/scripts/Dpkg/Source/Package/V2_0.pm b/scripts/Dpkg/Source/Package/V2_0.pm index 0a24da2b..a2563614 100644 --- a/scripts/Dpkg/Source/Package/V2_0.pm +++ b/scripts/Dpkg/Source/Package/V2_0.pm @@ -36,6 +36,7 @@ use File::Basename; use File::Temp qw(tempfile tempdir); use File::Path; use File::Spec; +use File::Find; sub init_options { my ($self) = @_; @@ -118,8 +119,20 @@ sub do_extract { # Extract debian tarball after removing the debian directory info(_g("unpacking %s"), $debianfile); erasedir("$newdirectory/debian"); + # Exclude existing symlinks from extraction of debian.tar.gz as we + # don't want to overwrite something outside of $newdirectory due to a + # symlink + my @exclude_symlinks; + my $wanted = sub { + return if not -l $_; + my $fn = File::Spec->abs2rel($_, $newdirectory); + push @exclude_symlinks, "--exclude", $fn; + }; + find({ wanted => $wanted, no_chdir => 1 }, $newdirectory); $tar = Dpkg::Source::Archive->new(filename => "$dscdir$debianfile"); - $tar->extract($newdirectory, in_place => 1); + $tar->extract($newdirectory, in_place => 1, + options => [ '--anchored', '--no-wildcards', + @exclude_symlinks ]); # Apply patches (in a separate method as it might be overriden) $self->apply_patches($newdirectory); -- 2.39.5