Browse code
Fix for Zip Slip Vulnerability
This fix is for apache-ant zip slip vulnerability.
Change-Id: Ibfe96985cf6741e3efec8f646ad465c015ca4b91
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/5289
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Srivatsa S. Bhat <srivatsab@vmware.com>
Reviewed-by: Sharath George
Keerthana K authored on 2018/06/25 08:45:24Showing 2 changed files
| 1 | 1 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,74 @@ |
| 0 |
+diff --git a/src/main/org/apache/tools/ant/taskdefs/Expand.java b/src/main/org/apache/tools/ant/taskdefs/Expand.java |
|
| 1 |
+index a586556..a3a2745 100644 |
|
| 2 |
+--- a/src/main/org/apache/tools/ant/taskdefs/Expand.java |
|
| 3 |
+@@ -69,6 +69,7 @@ public class Expand extends Task {
|
|
| 4 |
+ private boolean failOnEmptyArchive = false; |
|
| 5 |
+ private boolean stripAbsolutePathSpec = false; |
|
| 6 |
+ private boolean scanForUnicodeExtraFields = true; |
|
| 7 |
++ private Boolean allowFilesToEscapeDest = null; |
|
| 8 |
+ |
|
| 9 |
+ public static final String NATIVE_ENCODING = "native-encoding"; |
|
| 10 |
+ |
|
| 11 |
+@@ -259,14 +260,17 @@ public class Expand extends Task {
|
|
| 12 |
+ boolean isDirectory, FileNameMapper mapper) |
|
| 13 |
+ throws IOException {
|
|
| 14 |
+ |
|
| 15 |
+- if (stripAbsolutePathSpec && entryName.length() > 0 |
|
| 16 |
++ final boolean entryNameStartsWithPathSpec = entryName.length() > 0 |
|
| 17 |
+ && (entryName.charAt(0) == File.separatorChar |
|
| 18 |
+ || entryName.charAt(0) == '/' |
|
| 19 |
+- || entryName.charAt(0) == '\\')) {
|
|
| 20 |
++ || entryName.charAt(0) == '\\'); |
|
| 21 |
++ if (stripAbsolutePathSpec && entryNameStartsWithPathSpec) {
|
|
| 22 |
+ log("stripped absolute path spec from " + entryName,
|
|
| 23 |
+ Project.MSG_VERBOSE); |
|
| 24 |
+ entryName = entryName.substring(1); |
|
| 25 |
+ } |
|
| 26 |
++ boolean allowedOutsideOfDest = Boolean.TRUE == getAllowFilesToEscapeDest() |
|
| 27 |
++ || null == getAllowFilesToEscapeDest() && !stripAbsolutePathSpec && entryNameStartsWithPathSpec; |
|
| 28 |
+ |
|
| 29 |
+ if (patternsets != null && patternsets.size() > 0) {
|
|
| 30 |
+ String name = entryName.replace('/', File.separatorChar)
|
|
| 31 |
+@@ -332,6 +336,12 @@ public class Expand extends Task {
|
|
| 32 |
+ mappedNames = new String[] {entryName};
|
|
| 33 |
+ } |
|
| 34 |
+ File f = fileUtils.resolveFile(dir, mappedNames[0]); |
|
| 35 |
++ if (!allowedOutsideOfDest && !fileUtils.isLeadingPath(dir, f)) {
|
|
| 36 |
++ log("skipping " + entryName + " as its target " + f + " is outside of "
|
|
| 37 |
++ + dir + ".", Project.MSG_VERBOSE); |
|
| 38 |
++ return; |
|
| 39 |
++ } |
|
| 40 |
++ |
|
| 41 |
+ try {
|
|
| 42 |
+ if (!overwrite && f.exists() |
|
| 43 |
+ && f.lastModified() >= entryDate.getTime()) {
|
|
| 44 |
+@@ -533,4 +543,25 @@ public class Expand extends Task {
|
|
| 45 |
+ return scanForUnicodeExtraFields; |
|
| 46 |
+ } |
|
| 47 |
+ |
|
| 48 |
++ /** |
|
| 49 |
++ * Whether to allow the extracted file or directory to be outside of the dest directory. |
|
| 50 |
++ * |
|
| 51 |
++ * @param b the flag |
|
| 52 |
++ * @since Ant 1.9.12 |
|
| 53 |
++ */ |
|
| 54 |
++ public void setAllowFilesToEscapeDest(boolean b) {
|
|
| 55 |
++ allowFilesToEscapeDest = b; |
|
| 56 |
++ } |
|
| 57 |
++ |
|
| 58 |
++ /** |
|
| 59 |
++ * Whether to allow the extracted file or directory to be outside of the dest directory. |
|
| 60 |
++ * |
|
| 61 |
++ * @return {@code null} if the flag hasn't been set explicitly,
|
|
| 62 |
++ * otherwise the value set by the user. |
|
| 63 |
++ * @since Ant 1.9.12 |
|
| 64 |
++ */ |
|
| 65 |
++ public Boolean getAllowFilesToEscapeDest() {
|
|
| 66 |
++ return allowFilesToEscapeDest; |
|
| 67 |
++ } |
|
| 68 |
++ |
|
| 69 |
+ } |
|
| 70 |
+-- |
|
| 71 |
+2.7.4 |
|
| 72 |
+ |
| ... | ... |
@@ -1,7 +1,7 @@ |
| 1 | 1 |
Summary: Apache Ant |
| 2 | 2 |
Name: apache-ant |
| 3 | 3 |
Version: 1.10.1 |
| 4 |
-Release: 5%{?dist}
|
|
| 4 |
+Release: 6%{?dist}
|
|
| 5 | 5 |
License: Apache |
| 6 | 6 |
URL: http://ant.apache.org |
| 7 | 7 |
Group: Applications/System |
| ... | ... |
@@ -14,6 +14,7 @@ Source1: http://hamcrest.googlecode.com/files/hamcrest-1.3.tar.gz |
| 14 | 14 |
%define sha1 hamcrest=f0ab4d66186b894a06d89d103c5225cf53697db3 |
| 15 | 15 |
Source2: http://dl.bintray.com/vmware/photon_sources/1.0/maven-ant-tasks-2.1.3.tar.gz |
| 16 | 16 |
%define sha1 maven-ant-tasks=f38c0cc7b38007b09638366dbaa4ee902d9c255b |
| 17 |
+Patch0: apache-ant-zip-slip-vulnerability.patch |
|
| 17 | 18 |
Requires: openjre8 |
| 18 | 19 |
BuildRequires: openjre8 |
| 19 | 20 |
BuildRequires: openjdk8 |
| ... | ... |
@@ -39,6 +40,7 @@ Ant. |
| 39 | 39 |
%setup -q |
| 40 | 40 |
tar xf %{SOURCE1} --no-same-owner
|
| 41 | 41 |
tar xf %{SOURCE2} --no-same-owner
|
| 42 |
+%patch0 -p1 |
|
| 42 | 43 |
|
| 43 | 44 |
%clean |
| 44 | 45 |
rm -rf %{buildroot}
|
| ... | ... |
@@ -106,6 +108,8 @@ chmod 644 $MAVEN_ANT_TASKS_DIR/* |
| 106 | 106 |
%{_bindir}/runant.pl
|
| 107 | 107 |
|
| 108 | 108 |
%changelog |
| 109 |
+* Fri Jun 22 2018 Keerthana K <keerthanak@vmware.com> 1.10.1-6 |
|
| 110 |
+- Fix for Zip slip vulnerability. |
|
| 109 | 111 |
* Wed Jun 28 2017 Kumar Kaushik <kaushikk@vmware.com> 1.10.1-5 |
| 110 | 112 |
- Base package does not require python2. |
| 111 | 113 |
* Mon Jun 19 2017 Divya Thaluru <dthaluru@vmware.com> 1.10.1-4 |