Closed
Bug 1806899
Opened 1 year ago
Closed 1 year ago
Sanitize tarfile.extractall input
Categories
(Release Engineering :: General, defect)
Release Engineering
General
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: gbrown, Assigned: gbrown)
References
Details
(Keywords: leave-open)
Attachments
(15 files, 1 obsolete file)
48 bytes,
text/x-phabricator-request
|
Details | Review | |
48 bytes,
text/x-phabricator-request
|
Details | Review | |
48 bytes,
text/x-phabricator-request
|
Details | Review | |
52 bytes,
text/x-github-pull-request
|
Details | Review | |
48 bytes,
text/x-phabricator-request
|
Details | Review | |
48 bytes,
text/x-phabricator-request
|
Details | Review | |
48 bytes,
text/x-phabricator-request
|
Details | Review | |
52 bytes,
text/x-github-pull-request
|
Details | Review | |
48 bytes,
text/x-phabricator-request
|
Details | Review | |
63 bytes,
text/x-github-pull-request
|
Details | Review | |
52 bytes,
text/x-github-pull-request
|
Details | Review | |
48 bytes,
text/x-phabricator-request
|
Details | Review | |
63 bytes,
text/x-github-pull-request
|
Details | Review | |
63 bytes,
text/x-github-pull-request
|
Details | Review | |
63 bytes,
text/x-github-pull-request
|
Details | Review |
Assignee | ||
Comment 1•1 year ago
|
||
Assignee | ||
Comment 2•1 year ago
|
||
Comment 3•1 year ago
|
||
- archive-escape.tar is the same as archive.tar with an extra empty
../../../../../../../etc/passwd
member appended - archive-setuid.tar is the same as archive.tar with an extra empty
./bin/setuid
member appended, with mode 1744
Updated•1 year ago
|
Group: partner-confidential
Pushed by gbrown@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/b171320171a1 Sanitize extractall input (mozharness) r=jcristau
Assignee | ||
Updated•1 year ago
|
Keywords: leave-open
Comment 5•1 year ago
|
||
bugherder |
Pushed by jcristau@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/7b37ded95024 test unpacking crafted archives r=gbrown
Comment 7•1 year ago
|
||
bugherder |
Comment 8•1 year ago
|
||
Assignee | ||
Comment 9•1 year ago
|
||
Syncs m-c copy of tooltool.py with https://github.com/mozilla-releng/tooltool/pull/1066
Comment 10•1 year ago
|
||
Pushed by gbrown@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/6e5ab36bae64 Sanitize extractall input (m-c tooltool) r=jcristau
Comment 11•1 year ago
|
||
bugherder |
Assignee | ||
Comment 12•1 year ago
|
||
Add a check for setuid/gid on each tar member to be extracted.
Modify the check for escaping the destination: This should catch
absolute paths now, and also allow for the unusual but innocuous
case of "<subdir>/..".
Updated•1 year ago
|
Attachment #9309469 -
Attachment description: Bug 1806899 - Sanitize extractall input (dmg.py) → Bug 1806899 - Sanitize extractall input (mozbuild)
Comment 13•1 year ago
|
||
Pushed by gbrown@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/2fbbe5e4b32f Harden mozfile extract_tarball r=ahal
Assignee | ||
Comment 14•1 year ago
|
||
Comment 16•1 year ago
|
||
bugherder |
Comment 17•1 year ago
|
||
Pushed by gbrown@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/3eab2cd717ad Sanitize extractall input (remaining) r=jcristau
Comment 18•1 year ago
|
||
Pushed by gbrown@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/30c4cf95cc4d Sanitize extractall input (mozbuild) r=jcristau
Comment 19•1 year ago
|
||
bugherder |
Comment 20•1 year ago
|
||
Comment 21•1 year ago
|
||
Assignee | ||
Updated•1 year ago
|
Attachment #9318254 -
Attachment is obsolete: true
Assignee | ||
Comment 22•1 year ago
|
||
Apply the link escape check from tooltool to all the m-c tarfile extractions
previously updated.
Comment 23•1 year ago
|
||
Comment 24•1 year ago
|
||
Comment 25•1 year ago
|
||
Pushed by gbrown@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/79967b676cf8 Detect link escapes in safe_extract (all m-c) r=jcristau
Assignee | ||
Comment 26•1 year ago
|
||
Update the web-platform tests' copy of tooltool client with the latest version from the tooltool repo.
Comment 27•1 year ago
|
||
bugherder |
Comment 28•1 year ago
|
||
Pushed by gbrown@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/907dd0b20c7f Update vendored copy of tooltool client (wpt) r=jgraham
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/38786 for changes under testing/web-platform/tests
Assignee | ||
Comment 30•1 year ago
|
||
I found another copy of tooltool.py in mozilla-vpn-client: https://github.com/mozilla-mobile/mozilla-vpn-client/pull/6208
Comment 31•1 year ago
|
||
bugherder |
Comment 32•1 year ago
|
||
Comment 33•1 year ago
|
||
Upstream PR merged by jgraham
Comment 35•1 year ago
|
||
Assignee | ||
Updated•1 year ago
|
Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•