51 lines
1.6 KiB
Diff
51 lines
1.6 KiB
Diff
From 7daea2a2429a54dad68b1de9b37a5f65c5cf2600 Mon Sep 17 00:00:00 2001
|
|
From: Jaroslav Rohel <jrohel@redhat.com>
|
|
Date: Wed, 12 Aug 2020 08:35:28 +0200
|
|
Subject: [PATCH] Validate path read from repomd.xml (RhBug:1868639)
|
|
|
|
= changelog =
|
|
msg: Validate path read from repomd.xml
|
|
type: security
|
|
---
|
|
librepo/yum.c | 17 +++++++++++++++++
|
|
1 file changed, 17 insertions(+)
|
|
|
|
diff --git a/librepo/yum.c b/librepo/yum.c
|
|
index 3059188..529257b 100644
|
|
--- a/librepo/yum.c
|
|
+++ b/librepo/yum.c
|
|
@@ -23,6 +23,7 @@
|
|
#define BITS_IN_BYTE 8
|
|
|
|
#include <stdio.h>
|
|
+#include <libgen.h>
|
|
#include <assert.h>
|
|
#include <stdlib.h>
|
|
#include <errno.h>
|
|
@@ -770,6 +771,22 @@ prepare_repo_download_targets(LrHandle *handle,
|
|
continue;
|
|
|
|
char *location_href = record->location_href;
|
|
+
|
|
+ char *dest_dir = realpath(handle->destdir, NULL);
|
|
+ path = lr_pathconcat(handle->destdir, record->location_href, NULL);
|
|
+ char *requested_dir = realpath(dirname(path), NULL);
|
|
+ lr_free(path);
|
|
+ if (!g_str_has_prefix(requested_dir, dest_dir)) {
|
|
+ g_debug("%s: Invalid path: %s", __func__, location_href);
|
|
+ g_set_error(err, LR_YUM_ERROR, LRE_IO, "Invalid path: %s", location_href);
|
|
+ g_slist_free_full(*targets, (GDestroyNotify) lr_downloadtarget_free);
|
|
+ free(requested_dir);
|
|
+ free(dest_dir);
|
|
+ return FALSE;
|
|
+ }
|
|
+ free(requested_dir);
|
|
+ free(dest_dir);
|
|
+
|
|
gboolean is_zchunk = FALSE;
|
|
#ifdef WITH_ZCHUNK
|
|
if (handle->cachedir && record->header_checksum)
|
|
--
|
|
1.8.3.1
|
|
|