blob: 216f235d86465585c583f8dcaea95c60f299b95b (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
|
From 8ff7abc14d41906ad978b6bc67e69693863b9d47 Mon Sep 17 00:00:00 2001
From: Albert Astals Cid <aacid@kde.org>
Date: Mon, 3 Sep 2018 21:14:30 +0200
Subject: Fix path traversal issue when extracting an .okular file
Summary:
With specially crafted .okular files you can trick okular to create temporary files outside the temporary folder
We fix that by making sure the file doesn't have folders since the ones we create don't
BUGS: 398096
Subscribers: okular-devel
Tags: #okular
Differential Revision: https://phabricator.kde.org/D15192
---
core/document.cpp | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/core/document.cpp b/core/document.cpp
index 5e3c169..7d46173 100644
--- a/core/document.cpp
+++ b/core/document.cpp
@@ -4819,6 +4819,18 @@ ArchiveData *DocumentPrivate::unpackDocumentArchive( const QString &archivePath
return nullptr;
const KArchiveDirectory * mainDir = okularArchive.directory();
+
+ // Check the archive doesn't have folders, we don't create them when saving the archive
+ // and folders mean paths and paths mean path traversal issues
+ for ( const QString &entry : mainDir->entries() )
+ {
+ if ( mainDir->entry( entry )->isDirectory() )
+ {
+ qWarning() << "Warning: Found a directory inside" << archivePath << " - Okular does not create files like that so it is most probably forged.";
+ return nullptr;
+ }
+ }
+
const KArchiveEntry * mainEntry = mainDir->entry( QStringLiteral("content.xml") );
if ( !mainEntry || !mainEntry->isFile() )
return nullptr;
--
cgit v0.11.2
|
GitWeb
