mirrors/busybox
3
0
Fork 0
mirror of https://git.busybox.net/busybox synced 2025-05-10 04:33:59 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions
busybox/archival/Config.src
Denys Vlasenko 9a8796436b archival: disallow path traversals (CVE-2023-39810) 
Create new configure option for archival/libarchive based extractions to
disallow path traversals.
As this is a paranoid option and might introduce backward
incompatibility, default it to no.

Fixes: CVE-2023-39810

Based on the patch by Peter Kaestle <peter.kaestle@nokia.com>

function                                             old     new   delta
data_extract_all                                     921     945     +24
strip_unsafe_prefix                                  101     102      +1
------------------------------------------------------------------------------
(add/remove: 0/0 grow/shrink: 2/0 up/down: 25/0)               Total: 25 bytes

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2025-04-16 03:03:17 +02:00

49 lines
1.2 KiB
Text
Raw Permalink Blame History

#
# For a description of the syntax of this configuration file,
# see docs/Kconfig-language.txt.
#
menu "Archival Utilities"
config FEATURE_SEAMLESS_XZ
bool "Make tar, rpm, modprobe etc understand .xz data"
default y
config FEATURE_SEAMLESS_LZMA
bool "Make tar, rpm, modprobe etc understand .lzma data"
default y
config FEATURE_SEAMLESS_BZ2
bool "Make tar, rpm, modprobe etc understand .bz2 data"
default y
config FEATURE_SEAMLESS_GZ
bool "Make tar, rpm, modprobe etc understand .gz data"
default y
config FEATURE_SEAMLESS_Z
bool "Make tar, rpm, modprobe etc understand .Z data"
default n # it is ancient
INSERT
config FEATURE_LZMA_FAST
bool "Optimize lzma for speed"
default n
depends on UNLZMA || LZCAT || LZMA || FEATURE_SEAMLESS_LZMA
help
This option reduces decompression time by about 25% at the cost of
a 1K bigger binary.
config FEATURE_PATH_TRAVERSAL_PROTECTION
bool "Prevent extraction of filenames with /../ path component"
default n
help
busybox tar and unzip remove "PREFIX/../" (if it exists)
from extracted names.
This option enables this behavior for all other unpacking applets,
such as cpio, ar, rpm.
GNU cpio 2.15 has NO such sanity check.
# try other archivers and document their behavior?
endmenu
Reference in a new issue View git blame Copy permalink