-
Notifications
You must be signed in to change notification settings - Fork 192
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
unpack_in allows creating directories outside the dst
directory
#238
Comments
Correction: The file isn't written but the folders are still created in the parent directory with the most recent version. |
@alexcrichton we have a request to add a RUSTSEC advisory for this, FYI rustsec/advisory-db#965 |
Thanks for the heads up! |
This was referenced Aug 9, 2021
Closed
Closed
Open
Closed
Open
Closed
benesch
pushed a commit
to benesch/tar-rs
that referenced
this issue
Aug 9, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The following code will create the folders
exploit
andexploit/foo
outside of thedemo
folder:Entry::unpack_in
callsfs::create_dir_all
(src/entry.rs:406) on the untrusted path and therefore can create directories outside of thedst
directory.Note: The provided code will fail with the expected error that
symlink/exploit/foo/bar
is outside ofdemo
, but the parent directories are already created outside of thedemo
folder.This is kind of related to #129, but still works in the current master.
The text was updated successfully, but these errors were encountered: