diff --git a/composer.lock b/composer.lock
index 278f9d43b..0e655e2a3 100644
--- a/composer.lock
+++ b/composer.lock
@@ -2080,16 +2080,16 @@
},
{
"name": "pear/archive_tar",
- "version": "1.4.13",
+ "version": "1.4.14",
"source": {
"type": "git",
"url": "https://github.com/pear/Archive_Tar.git",
- "reference": "2b87b41178cc6d4ad3cba678a46a1cae49786011"
+ "reference": "4d761c5334c790e45ef3245f0864b8955c562caa"
},
"dist": {
"type": "zip",
- "url": "https://api.github.com/repos/pear/Archive_Tar/zipball/2b87b41178cc6d4ad3cba678a46a1cae49786011",
- "reference": "2b87b41178cc6d4ad3cba678a46a1cae49786011",
+ "url": "https://api.github.com/repos/pear/Archive_Tar/zipball/4d761c5334c790e45ef3245f0864b8955c562caa",
+ "reference": "4d761c5334c790e45ef3245f0864b8955c562caa",
"shasum": ""
},
"require": {
@@ -2156,7 +2156,7 @@
"type": "patreon"
}
],
- "time": "2021-02-16T10:50:50+00:00"
+ "time": "2021-07-20T13:53:39+00:00"
},
{
"name": "pear/console_getopt",
@@ -5869,5 +5869,5 @@
"platform-overrides": {
"php": "7.3.0"
},
- "plugin-api-version": "2.0.0"
+ "plugin-api-version": "2.1.0"
}
diff --git a/composer/installed.json b/composer/installed.json
index c6d2ef0db..ea6fee880 100644
--- a/composer/installed.json
+++ b/composer/installed.json
@@ -2163,17 +2163,17 @@
},
{
"name": "pear/archive_tar",
- "version": "1.4.13",
- "version_normalized": "1.4.13.0",
+ "version": "1.4.14",
+ "version_normalized": "1.4.14.0",
"source": {
"type": "git",
"url": "https://github.com/pear/Archive_Tar.git",
- "reference": "2b87b41178cc6d4ad3cba678a46a1cae49786011"
+ "reference": "4d761c5334c790e45ef3245f0864b8955c562caa"
},
"dist": {
"type": "zip",
- "url": "https://api.github.com/repos/pear/Archive_Tar/zipball/2b87b41178cc6d4ad3cba678a46a1cae49786011",
- "reference": "2b87b41178cc6d4ad3cba678a46a1cae49786011",
+ "url": "https://api.github.com/repos/pear/Archive_Tar/zipball/4d761c5334c790e45ef3245f0864b8955c562caa",
+ "reference": "4d761c5334c790e45ef3245f0864b8955c562caa",
"shasum": ""
},
"require": {
@@ -2188,7 +2188,7 @@
"ext-xz": "Lzma2 compression support.",
"ext-zlib": "Gzip compression support."
},
- "time": "2021-02-16T10:50:50+00:00",
+ "time": "2021-07-20T13:53:39+00:00",
"type": "library",
"extra": {
"branch-alias": {
diff --git a/composer/installed.php b/composer/installed.php
index 0c4c3c249..d1b3b68d8 100644
--- a/composer/installed.php
+++ b/composer/installed.php
@@ -5,7 +5,7 @@
'type' => 'library',
'install_path' => __DIR__ . '/../',
'aliases' => array(),
- 'reference' => 'd1bf85a7c711a101a13f65443216d76426e804fc',
+ 'reference' => '1f66cef37b83a89a902e595e79e05c4eafbc855e',
'name' => 'nextcloud/3rdparty',
'dev' => false,
),
@@ -268,7 +268,7 @@
'type' => 'library',
'install_path' => __DIR__ . '/../',
'aliases' => array(),
- 'reference' => 'd1bf85a7c711a101a13f65443216d76426e804fc',
+ 'reference' => '1f66cef37b83a89a902e595e79e05c4eafbc855e',
'dev_requirement' => false,
),
'nextcloud/lognormalizer' => array(
@@ -305,12 +305,12 @@
'dev_requirement' => false,
),
'pear/archive_tar' => array(
- 'pretty_version' => '1.4.13',
- 'version' => '1.4.13.0',
+ 'pretty_version' => '1.4.14',
+ 'version' => '1.4.14.0',
'type' => 'library',
'install_path' => __DIR__ . '/../pear/archive_tar',
'aliases' => array(),
- 'reference' => '2b87b41178cc6d4ad3cba678a46a1cae49786011',
+ 'reference' => '4d761c5334c790e45ef3245f0864b8955c562caa',
'dev_requirement' => false,
),
'pear/console_getopt' => array(
diff --git a/composer/package-versions-deprecated/src/PackageVersions/Versions.php b/composer/package-versions-deprecated/src/PackageVersions/Versions.php
index 5cea451f5..adc7b9214 100644
--- a/composer/package-versions-deprecated/src/PackageVersions/Versions.php
+++ b/composer/package-versions-deprecated/src/PackageVersions/Versions.php
@@ -64,7 +64,7 @@ final class Versions
'nextcloud/lognormalizer' => 'v1.0.0@87445d69225c247aaff64643b1fc83c6d6df741f',
'nikic/php-parser' => 'v4.10.5@4432ba399e47c66624bc73c8c0f811e5c109576f',
'opis/closure' => '3.6.2@06e2ebd25f2869e54a306dda991f7db58066f7f6',
- 'pear/archive_tar' => '1.4.13@2b87b41178cc6d4ad3cba678a46a1cae49786011',
+ 'pear/archive_tar' => '1.4.14@4d761c5334c790e45ef3245f0864b8955c562caa',
'pear/console_getopt' => 'v1.4.3@a41f8d3e668987609178c7c4a9fe48fecac53fa0',
'pear/pear-core-minimal' => 'v1.10.10@625a3c429d9b2c1546438679074cac1b089116a7',
'pear/pear_exception' => 'v1.0.2@b14fbe2ddb0b9f94f5b24cf08783d599f776fff0',
@@ -117,7 +117,7 @@ final class Versions
'web-auth/cose-lib' => 'v3.3.9@ed172d2dc1a6b87b5c644c07c118cd30c1b3819b',
'web-auth/metadata-service' => 'v3.3.9@8488d3a832a38cc81c670fce05de1e515c6e64b1',
'web-auth/webauthn-lib' => 'v3.3.9@04b98ee3d39cb79dad68a7c15c297c085bf66bfe',
- 'nextcloud/3rdparty' => 'dev-master@d1bf85a7c711a101a13f65443216d76426e804fc',
+ 'nextcloud/3rdparty' => 'dev-master@1f66cef37b83a89a902e595e79e05c4eafbc855e',
);
private function __construct()
diff --git a/pear/archive_tar/Archive/Tar.php b/pear/archive_tar/Archive/Tar.php
index a8c9501cc..3356ad6ac 100644
--- a/pear/archive_tar/Archive/Tar.php
+++ b/pear/archive_tar/Archive/Tar.php
@@ -2124,25 +2124,40 @@ public function _extractList(
}
}
} elseif ($v_header['typeflag'] == "2") {
+ if (!$p_symlinks) {
+ $this->_warning('Symbolic links are not allowed. '
+ . 'Unable to extract {'
+ . $v_header['filename'] . '}'
+ );
+ return false;
+ }
+ $absolute_link = FALSE;
$link_depth = 0;
- foreach (explode("/", $v_header['filename']) as $dir) {
- if ($dir === "..") {
- $link_depth--;
- } elseif ($dir !== "" && $dir !== "." ) {
- $link_depth++;
- }
+ if (strpos($v_header['link'], "/") === 0 || strpos($v_header['link'], ':') !== FALSE) {
+ $absolute_link = TRUE;
}
- foreach (explode("/", $v_header['link']) as $dir){
- if ($link_depth <= 0) {
- break;
+ else {
+ $s_filename = preg_replace('@^' . preg_quote($p_path) . '@', "", $v_header['filename']);
+ $s_linkname = str_replace('\\', '/', $v_header['link']);
+ foreach (explode("/", $s_filename) as $dir) {
+ if ($dir === "..") {
+ $link_depth--;
+ } elseif ($dir !== "" && $dir !== "." ) {
+ $link_depth++;
+ }
}
- if ($dir === "..") {
- $link_depth--;
- } elseif ($dir !== "" && $dir !== ".") {
- $link_depth++;
+ foreach (explode("/", $s_linkname) as $dir){
+ if ($link_depth <= 0) {
+ break;
+ }
+ if ($dir === "..") {
+ $link_depth--;
+ } elseif ($dir !== "" && $dir !== ".") {
+ $link_depth++;
+ }
}
}
- if (strpos($v_header['link'], "/") === 0 or $link_depth <= 0) {
+ if ($absolute_link || $link_depth <= 0) {
$this->_error(
'Out-of-path file extraction {'
. $v_header['filename'] . ' --> ' .
@@ -2150,13 +2165,6 @@ public function _extractList(
);
return false;
}
- if (!$p_symlinks) {
- $this->_warning('Symbolic links are not allowed. '
- . 'Unable to extract {'
- . $v_header['filename'] . '}'
- );
- return false;
- }
if (@file_exists($v_header['filename'])) {
@unlink($v_header['filename']);
}
diff --git a/pear/archive_tar/package.xml b/pear/archive_tar/package.xml
index 8da0d40c9..d4f20bd4b 100644
--- a/pear/archive_tar/package.xml
+++ b/pear/archive_tar/package.xml
@@ -32,10 +32,10 @@ Also Lzma2 compressed archives are supported with xz extension.
stig@php.net
no
- 2021-02-16
-
+ 2021-07-20
+
- 1.4.13
+ 1.4.14
1.4.0
@@ -44,7 +44,7 @@ Also Lzma2 compressed archives are supported with xz extension.
New BSD License
-* Fix Bug #27010: Relative symlinks failing (out-of path file extraction) [mrook]
+* Properly fix symbolic link path traversal (CVE-2021-32610)
@@ -74,6 +74,21 @@ Also Lzma2 compressed archives are supported with xz extension.
+
+
+ 1.4.13
+ 1.4.0
+
+
+ stable
+ stable
+
+ 2021-02-16
+ New BSD License
+
+ * Fix Bug #27010: Relative symlinks failing (out-of path file extraction) [mrook]
+
+
1.4.12