Group :: Arquivamento/Compressão
RPM: kde5-ark
Main Changelog Spec Patches Sources Download Gear Bugs e FR Repocop
Patch: CVE-2020-16116.patch
Download
Download
diff --git a/kerfuffle/jobs.cpp b/kerfuffle/jobs.cpp
index fdaa48695fd9019af760ded3a99879905a0b476e..f73b56f862ed525953f6fd7d7b5217f43c315376 100644
--- a/kerfuffle/jobs.cpp
+++ b/kerfuffle/jobs.cpp
@@ -180,6 +180,14 @@ void Job::onError(const QString & message, const QString & details)
void Job::onEntry(Archive::Entry *entry)
{
+ const QString entryFullPath = entry->fullPath();
+ if (QDir::cleanPath(entryFullPath).contains(QLatin1String("../"))) {
+ qCWarning(ARK) << "Possibly malicious archive. Detected entry that could lead to a directory traversal attack:" << entryFullPath;
+ onError(i18n("Could not load the archive because it contains ill-formed entries and might be a malicious archive."), QString());
+ onFinished(false);
+ return;
+ }
+
emit newEntry(entry);
}