Bug 783

Summary: dpkg.c dot-directory extraction bug
Product: Busybox Reporter: Michael Smith <msmith>
Component: OtherAssignee: unassigned
Status: RESOLVED FIXED    
Severity: normal CC: busybox-cvs
Priority: P5    
Version: 1.13.x   
Target Milestone: ---   
Hardware: PC   
OS: Linux   
Host: Target:
Build:
Attachments: fix dot-dir extraction
Fix dot-dir extraction v2

Description Michael Smith 2009-12-07 21:35:36 UTC 
Created attachment 809 [details]
fix dot-dir extraction

data_extract_all_prefix() is trying to remove the leading "./" from pathnames, but it will also catch a leading "./." so dot-directories don't get extracted happily.
Comment 1 Denys Vlasenko 2010-01-08 17:07:19 UTC 
Your patch will mishandle ".name" by treating it like "name".

How about this?

-       name_ptr += strspn(name_ptr, "./");
+       /* Skip all leading "/" */
+       while (*name_ptr == '/')
+               name_ptr++;
+       /* Skip all leading "./" and "../" */
+       while (name_ptr[0] == '.') {
+               if (name_ptr[1] == '.' && name_ptr[2] == '/')
+                       name_ptr++;
+               if (name_ptr[1] != '/')
+                       break;
+               name_ptr += 2;
+       }
Comment 2 Michael Smith 2010-01-11 16:07:06 UTC 
That's true. I haven't seen a deb data.tar where the entries don't start with "./", but there's no reason it couldn't happen.

I don't think we need to strip the leading "../". Looking in get_header_tar.c, it looks like anything beginning with "../" or containing "/../" is rejected.
Comment 3 Michael Smith 2010-01-11 16:41:49 UTC 
Created attachment 889 [details]
Fix dot-dir extraction v2

OK, this one strips leading "/" and "./", but not ".name".
Comment 4 Denys Vlasenko 2010-01-30 23:18:07 UTC 
Fixed in 1.16.0