fix: specialized tar extract traversal

piksel · piksel · commit 5c3b293de5d6 · 2021-09-19T08:58:07.000+02:00
diff --git a/src/ICSharpCode.SharpZipLib/Tar/TarArchive.cs b/src/ICSharpCode.SharpZipLib/Tar/TarArchive.cs
@@ -658,8 +658,9 @@ private void ExtractEntry(string destDir, TarEntry entry, bool allowParentTraver
 			name = name.Replace('/', Path.DirectorySeparatorChar);
 
 			string destFile = Path.Combine(destDir, name);
+			var destFileDir = Path.GetDirectoryName(Path.GetFullPath(destFile)) ?? "";
 
-			if (!allowParentTraversal && !Path.GetFullPath(destFile).StartsWith(destDir, StringComparison.InvariantCultureIgnoreCase))
+			if (!allowParentTraversal && !destFileDir.StartsWith(destDir, StringComparison.InvariantCultureIgnoreCase))
 			{
 				throw new InvalidNameException("Parent traversal in paths is not allowed");
 			}

Original file line number	Diff line number	Diff line change
`@@ -658,8 +658,9 @@ private void ExtractEntry(string destDir, TarEntry entry, bool allowParentTraver`
`658`	`658`	`name = name.Replace('/', Path.DirectorySeparatorChar);`
`659`	`659`
`660`	`660`	`string destFile = Path.Combine(destDir, name);`
	`661`	`+ var destFileDir = Path.GetDirectoryName(Path.GetFullPath(destFile)) ?? "";`
`661`	`662`
`662`		`- if (!allowParentTraversal && !Path.GetFullPath(destFile).StartsWith(destDir, StringComparison.InvariantCultureIgnoreCase))`
	`663`	`+ if (!allowParentTraversal && !destFileDir.StartsWith(destDir, StringComparison.InvariantCultureIgnoreCase))`
`663`	`664`	`{`
`664`	`665`	`throw new InvalidNameException("Parent traversal in paths is not allowed");`
`665`	`666`	`}`