maride/afl-transmit
1
0
Fork 0
mirror of https://github.com/maride/afl-transmit.git synced 2024-11-21 15:04:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

Poorly protect against directory traversal

Browse Source
This commit is contained in:
maride 2021-04-27 00:25:59 +02:00
parent 02df628076
commit e06e7f204c
1 changed files with 7 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
logistic/unpacker.go
View File

@ -10,6 +10,7 @@ import (
"log" "log"
"os" "os"
"path" "path"
"strings"
) )
// UnpackInto decrompesses the given bytes with DEFLATE, then unpacks the result as TAR archive into the targetDir // UnpackInto decrompesses the given bytes with DEFLATE, then unpacks the result as TAR archive into the targetDir
@ -66,6 +67,12 @@ func unpackSingleFile(raw []byte, targetDirectory string, filename string) {
return return
} }
// Check if some funny stuff is going on
if strings.Contains(targetDirectory, "..") || strings.Contains(filename, "..") {
log.Printf("Skipping traversal filename: %s", filename)
return
}
// Check if the target directory already exists - otherwise we create it // Check if the target directory already exists - otherwise we create it
dirOfFile := path.Dir(fmt.Sprintf("%s%c%s", targetDirectory, os.PathSeparator, filename)) dirOfFile := path.Dir(fmt.Sprintf("%s%c%s", targetDirectory, os.PathSeparator, filename))
_, dirInfoErr := os.Stat(dirOfFile) _, dirInfoErr := os.Stat(dirOfFile)