Update to Drupal 7.82. For more information, see https://www.drupal.o…

…rg/project/drupal/releases/7.82
pantheon-systems · Jul 21, 2021 · a43e1e7 · a43e1e7
1 parent 96eded7
commit a43e1e7
Show file tree

Hide file tree

Showing 3 changed files with 40 additions and 9 deletions.
diff --git a/CHANGELOG.txt b/CHANGELOG.txt
@@ -1,3 +1,8 @@
+Drupal 7.82, 2021-07-21
+-----------------------
+- Fixed security issues:
+   - SA-CORE-2021-004
+
 Drupal 7.81, 2021-06-02
 -----------------------
 - Block Google FLoC by default

diff --git a/includes/bootstrap.inc b/includes/bootstrap.inc
@@ -8,7 +8,7 @@
 /**
  * The current system version.
  */
-define('VERSION', '7.81');
+define('VERSION', '7.82');
 
 /**
  * Core API compatibility.

diff --git a/modules/system/system.tar.inc b/modules/system/system.tar.inc
@@ -2178,21 +2178,47 @@ class Archive_Tar
                             }
                         }
                     } elseif ($v_header['typeflag'] == "2") {
-                        if (strpos(realpath(dirname($v_header['link'])), realpath($p_path)) !== 0) {
-                            $this->_error(
-                                'Out-of-path file extraction {'
-                                . $v_header['filename'] . ' --> ' .
-                                $v_header['link'] . '}'
-                            );
-                            return false;
-                        }
                         if (!$p_symlinks) {
                             $this->_warning('Symbolic links are not allowed. '
                                 . 'Unable to extract {'
                                 . $v_header['filename'] . '}'
                             );
                             return false;
                         }
+                        $absolute_link = FALSE;
+                        $link_depth = 0;
+                        if (strpos($v_header['link'], "/") === 0 || strpos($v_header['link'], ':') !== FALSE) {
+                          $absolute_link = TRUE;
+                        }
+                        else {
+                            $s_filename = preg_replace('@^' . preg_quote($p_path) . '@', "", $v_header['filename']);
+                            $s_linkname = str_replace('\\', '/', $v_header['link']);
+                            foreach (explode("/", $s_filename) as $dir) {
+                                if ($dir === "..") {
+                                    $link_depth--;
+                                } elseif ($dir !== "" && $dir !== "." ) {
+                                    $link_depth++;
+                                }
+                            }
+                            foreach (explode("/", $s_linkname) as $dir){
+                                if ($link_depth <= 0) {
+                                    break;
+                                }
+                                if ($dir === "..") {
+                                    $link_depth--;
+                                } elseif ($dir !== "" && $dir !== ".") {
+                                    $link_depth++;
+                                }
+                            }
+                        }
+                        if ($absolute_link || $link_depth <= 0) {
+                            $this->_error(
+                                 'Out-of-path file extraction {'
+                                 . $v_header['filename'] . ' --> ' .
+                                 $v_header['link'] . '}'
+                            );
+                            return false;
+                        }
                         if (@file_exists($v_header['filename'])) {
                             @drupal_unlink($v_header['filename']);
                         }