--- /dev/null
+From 3e1e224fd031ae3927acda70f6e1fa55193e5b68 Mon Sep 17 00:00:00 2001
+From: Denys Vlasenko <vda.linux@googlemail.com>
+Date: Tue, 20 Feb 2018 15:57:45 +0100
+Subject: [PATCH] tar,unzip: postpone creation of symlinks with "suspicious"
+ targets
+
+This mostly reverts commit bc9bbeb2b81001e8731cd2ae501c8fccc8d87cc7
+"libarchive: do not extract unsafe symlinks unless $EXTRACT_UNSAFE_SYMLINKS=1"
+
+Users report that it is somewhat too restrictive. See
+https://bugs.busybox.net/show_bug.cgi?id=8411
+
+In particular, this interferes with unpacking of busybox-based
+filesystems with links like "sbin/applet" -> "../bin/busybox".
+
+The change is made smaller by deleting ARCHIVE_EXTRACT_QUIET flag -
+it is unused since 2010, and removing conditionals on it
+allows commonalizing some error message codes.
+
+function old new delta
+create_or_remember_symlink - 94 +94
+create_symlinks_from_list - 64 +64
+tar_main 1002 1006 +4
+unzip_main 2732 2724 -8
+data_extract_all 984 891 -93
+unsafe_symlink_target 147 - -147
+------------------------------------------------------------------------------
+(add/remove: 2/1 grow/shrink: 1/2 up/down: 162/-248) Total: -86 bytes
+
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+
+Upstream-Status: Backport from 1.28.2 [https://git.busybox.net/busybox/commit/?h=1_28_stable&id=37277a23fe48b13313f5d96084d890ed21d5fd8b]
+
+Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
+---
+ archival/libarchive/data_extract_all.c | 50 +++++++++-------
+ archival/libarchive/unsafe_symlink_target.c | 63 +++++++++------------
+ archival/tar.c | 2 +
+ archival/unzip.c | 29 ++++++----
+ include/bb_archive.h | 23 +++++---
+ testsuite/tar.tests | 10 ++--
+ 6 files changed, 95 insertions(+), 82 deletions(-)
+
+diff --git a/archival/libarchive/data_extract_all.c b/archival/libarchive/data_extract_all.c
+index b828b656d..dad8d7d87 100644
+--- a/archival/libarchive/data_extract_all.c
++++ b/archival/libarchive/data_extract_all.c
+@@ -108,9 +108,7 @@ void FAST_FUNC data_extract_all(archive_handle_t *archive_handle)
+ }
+ }
+ else if (existing_sb.st_mtime >= file_header->mtime) {
+- if (!(archive_handle->ah_flags & ARCHIVE_EXTRACT_QUIET)
+- && !S_ISDIR(file_header->mode)
+- ) {
++ if (!S_ISDIR(file_header->mode)) {
+ bb_error_msg("%s not created: newer or "
+ "same age file exists", dst_name);
+ }
+@@ -126,7 +124,7 @@ void FAST_FUNC data_extract_all(archive_handle_t *archive_handle)
+ /* Handle hard links separately */
+ if (hard_link) {
+ res = link(hard_link, dst_name);
+- if (res != 0 && !(archive_handle->ah_flags & ARCHIVE_EXTRACT_QUIET)) {
++ if (res != 0) {
+ /* shared message */
+ bb_perror_msg("can't create %slink '%s' to '%s'",
+ "hard", dst_name, hard_link
+@@ -166,10 +164,9 @@ void FAST_FUNC data_extract_all(archive_handle_t *archive_handle)
+ }
+ case S_IFDIR:
+ res = mkdir(dst_name, file_header->mode);
+- if ((res == -1)
++ if ((res != 0)
+ && (errno != EISDIR) /* btw, Linux doesn't return this */
+ && (errno != EEXIST)
+- && !(archive_handle->ah_flags & ARCHIVE_EXTRACT_QUIET)
+ ) {
+ bb_perror_msg("can't make dir %s", dst_name);
+ }
+@@ -177,27 +174,38 @@ void FAST_FUNC data_extract_all(archive_handle_t *archive_handle)
+ case S_IFLNK:
+ /* Symlink */
+ //TODO: what if file_header->link_target == NULL (say, corrupted tarball?)
+- if (!unsafe_symlink_target(file_header->link_target)) {
+- res = symlink(file_header->link_target, dst_name);
+- if (res != 0
+- && !(archive_handle->ah_flags & ARCHIVE_EXTRACT_QUIET)
+- ) {
+- /* shared message */
+- bb_perror_msg("can't create %slink '%s' to '%s'",
+- "sym",
+- dst_name, file_header->link_target
+- );
+- }
+- }
++
++ /* To avoid a directory traversal attack via symlinks,
++ * do not restore symlinks with ".." components
++ * or symlinks starting with "/", unless a magic
++ * envvar is set.
++ *
++ * For example, consider a .tar created via:
++ * $ tar cvf bug.tar anything.txt
++ * $ ln -s /tmp symlink
++ * $ tar --append -f bug.tar symlink
++ * $ rm symlink
++ * $ mkdir symlink
++ * $ tar --append -f bug.tar symlink/evil.py
++ *
++ * This will result in an archive that contains:
++ * $ tar --list -f bug.tar
++ * anything.txt
++ * symlink [-> /tmp]
++ * symlink/evil.py
++ *
++ * Untarring bug.tar would otherwise place evil.py in '/tmp'.
++ */
++ create_or_remember_symlink(&archive_handle->symlink_placeholders,
++ file_header->link_target,
++ dst_name);
+ break;
+ case S_IFSOCK:
+ case S_IFBLK:
+ case S_IFCHR:
+ case S_IFIFO:
+ res = mknod(dst_name, file_header->mode, file_header->device);
+- if ((res == -1)
+- && !(archive_handle->ah_flags & ARCHIVE_EXTRACT_QUIET)
+- ) {
++ if (res != 0) {
+ bb_perror_msg("can't create node %s", dst_name);
+ }
+ break;
+diff --git a/archival/libarchive/unsafe_symlink_target.c b/archival/libarchive/unsafe_symlink_target.c
+index ee46e28f8..8dcafeaa1 100644
+--- a/archival/libarchive/unsafe_symlink_target.c
++++ b/archival/libarchive/unsafe_symlink_target.c
+@@ -5,44 +5,37 @@
+ #include "libbb.h"
+ #include "bb_archive.h"
+
+-int FAST_FUNC unsafe_symlink_target(const char *target)
++void FAST_FUNC create_or_remember_symlink(llist_t **symlink_placeholders,
++ const char *target,
++ const char *linkname)
+ {
+- const char *dot;
+-
+- if (target[0] == '/') {
+- const char *var;
+-unsafe:
+- var = getenv("EXTRACT_UNSAFE_SYMLINKS");
+- if (var) {
+- if (LONE_CHAR(var, '1'))
+- return 0; /* pretend it's safe */
+- return 1; /* "UNSAFE!" */
+- }
+- bb_error_msg("skipping unsafe symlink to '%s' in archive,"
+- " set %s=1 to extract",
+- target,
+- "EXTRACT_UNSAFE_SYMLINKS"
++ if (target[0] == '/' || strstr(target, "..")) {
++ llist_add_to(symlink_placeholders,
++ xasprintf("%s%c%s", linkname, '\0', target)
++ );
++ return;
++ }
++ if (symlink(target, linkname) != 0) {
++ /* shared message */
++ bb_perror_msg_and_die("can't create %slink '%s' to '%s'",
++ "sym", linkname, target
+ );
+- /* Prevent further messages */
+- setenv("EXTRACT_UNSAFE_SYMLINKS", "0", 0);
+- return 1; /* "UNSAFE!" */
+ }
++}
+
+- dot = target;
+- for (;;) {
+- dot = strchr(dot, '.');
+- if (!dot)
+- return 0; /* safe target */
++void FAST_FUNC create_symlinks_from_list(llist_t *list)
++{
++ while (list) {
++ char *target;
+
+- /* Is it a path component starting with ".."? */
+- if ((dot[1] == '.')
+- && (dot == target || dot[-1] == '/')
+- /* Is it exactly ".."? */
+- && (dot[2] == '/' || dot[2] == '\0')
+- ) {
+- goto unsafe;
+- }
+- /* NB: it can even be trailing ".", should only add 1 */
+- dot += 1;
++ target = list->data + strlen(list->data) + 1;
++ if (symlink(target, list->data)) {
++ /* shared message */
++ bb_error_msg_and_die("can't create %slink '%s' to '%s'",
++ "sym",
++ list->data, target
++ );
++ }
++ list = list->link;
+ }
+-}
+\ No newline at end of file
++}
+diff --git a/archival/tar.c b/archival/tar.c
+index 7598b71e3..bde86330c 100644
+--- a/archival/tar.c
++++ b/archival/tar.c
+@@ -1252,6 +1252,8 @@ int tar_main(int argc UNUSED_PARAM, char **argv)
+ while (get_header_tar(tar_handle) == EXIT_SUCCESS)
+ bb_got_signal = EXIT_SUCCESS; /* saw at least one header, good */
+
++ create_symlinks_from_list(tar_handle->symlink_placeholders);
++
+ /* Check that every file that should have been extracted was */
+ while (tar_handle->accept) {
+ if (!find_list_entry(tar_handle->reject, tar_handle->accept->data)
+diff --git a/archival/unzip.c b/archival/unzip.c
+index 270e261b7..2f53ab7a4 100644
+--- a/archival/unzip.c
++++ b/archival/unzip.c
+@@ -335,7 +335,10 @@ static void unzip_create_leading_dirs(const char *fn)
+ free(name);
+ }
+
+-static void unzip_extract_symlink(zip_header_t *zip, const char *dst_fn)
++#if ENABLE_FEATURE_UNZIP_CDF
++static void unzip_extract_symlink(llist_t **symlink_placeholders,
++ zip_header_t *zip,
++ const char *dst_fn)
+ {
+ char *target;
+
+@@ -361,17 +364,12 @@ static void unzip_extract_symlink(zip_header_t *zip, const char *dst_fn)
+ target[xstate.mem_output_size] = '\0';
+ #endif
+ }
+- if (!unsafe_symlink_target(target)) {
+-//TODO: libbb candidate
+- if (symlink(target, dst_fn)) {
+- /* shared message */
+- bb_perror_msg_and_die("can't create %slink '%s' to '%s'",
+- "sym", dst_fn, target
+- );
+- }
+- }
++ create_or_remember_symlink(symlink_placeholders,
++ target,
++ dst_fn);
+ free(target);
+ }
++#endif
+
+ static void unzip_extract(zip_header_t *zip, int dst_fd)
+ {
+@@ -464,6 +462,9 @@ int unzip_main(int argc, char **argv)
+ llist_t *zaccept = NULL;
+ llist_t *zreject = NULL;
+ char *base_dir = NULL;
++#if ENABLE_FEATURE_UNZIP_CDF
++ llist_t *symlink_placeholders = NULL;
++#endif
+ int i, opt;
+ char key_buf[80]; /* must match size used by my_fgets80 */
+ struct stat stat_buf;
+@@ -894,8 +895,8 @@ int unzip_main(int argc, char **argv)
+ }
+ #if ENABLE_FEATURE_UNZIP_CDF
+ if (S_ISLNK(file_mode)) {
+- if (dst_fd != STDOUT_FILENO) /* no -p */
+- unzip_extract_symlink(&zip, dst_fn);
++ if (dst_fd != STDOUT_FILENO) /* not -p? */
++ unzip_extract_symlink(&symlink_placeholders, &zip, dst_fn);
+ } else
+ #endif
+ {
+@@ -931,6 +932,10 @@ int unzip_main(int argc, char **argv)
+ total_entries++;
+ }
+
++#if ENABLE_FEATURE_UNZIP_CDF
++ create_symlinks_from_list(symlink_placeholders);
++#endif
++
+ if (listing && quiet <= 1) {
+ if (!verbose) {
+ // " Length Date Time Name\n"
+diff --git a/include/bb_archive.h b/include/bb_archive.h
+index 1e4da3c33..436eb0fe3 100644
+--- a/include/bb_archive.h
++++ b/include/bb_archive.h
+@@ -64,6 +64,9 @@ typedef struct archive_handle_t {
+ /* Currently processed file's header */
+ file_header_t *file_header;
+
++ /* List of symlink placeholders */
++ llist_t *symlink_placeholders;
++
+ /* Process the header component, e.g. tar -t */
+ void FAST_FUNC (*action_header)(const file_header_t *);
+
+@@ -119,15 +122,14 @@ typedef struct archive_handle_t {
+ #define ARCHIVE_RESTORE_DATE (1 << 0)
+ #define ARCHIVE_CREATE_LEADING_DIRS (1 << 1)
+ #define ARCHIVE_UNLINK_OLD (1 << 2)
+-#define ARCHIVE_EXTRACT_QUIET (1 << 3)
+-#define ARCHIVE_EXTRACT_NEWER (1 << 4)
+-#define ARCHIVE_DONT_RESTORE_OWNER (1 << 5)
+-#define ARCHIVE_DONT_RESTORE_PERM (1 << 6)
+-#define ARCHIVE_NUMERIC_OWNER (1 << 7)
+-#define ARCHIVE_O_TRUNC (1 << 8)
+-#define ARCHIVE_REMEMBER_NAMES (1 << 9)
++#define ARCHIVE_EXTRACT_NEWER (1 << 3)
++#define ARCHIVE_DONT_RESTORE_OWNER (1 << 4)
++#define ARCHIVE_DONT_RESTORE_PERM (1 << 5)
++#define ARCHIVE_NUMERIC_OWNER (1 << 6)
++#define ARCHIVE_O_TRUNC (1 << 7)
++#define ARCHIVE_REMEMBER_NAMES (1 << 8)
+ #if ENABLE_RPM
+-#define ARCHIVE_REPLACE_VIA_RENAME (1 << 10)
++#define ARCHIVE_REPLACE_VIA_RENAME (1 << 9)
+ #endif
+
+
+@@ -196,7 +198,10 @@ void seek_by_jump(int fd, off_t amount) FAST_FUNC;
+ void seek_by_read(int fd, off_t amount) FAST_FUNC;
+
+ const char *strip_unsafe_prefix(const char *str) FAST_FUNC;
+-int unsafe_symlink_target(const char *target) FAST_FUNC;
++void create_or_remember_symlink(llist_t **symlink_placeholders,
++ const char *target,
++ const char *linkname) FAST_FUNC;
++void create_symlinks_from_list(llist_t *list) FAST_FUNC;
+
+ void data_align(archive_handle_t *archive_handle, unsigned boundary) FAST_FUNC;
+ const llist_t *find_list_entry(const llist_t *list, const char *filename) FAST_FUNC;
+diff --git a/testsuite/tar.tests b/testsuite/tar.tests
+index 127eeaaee..21cef49fe 100755
+--- a/testsuite/tar.tests
++++ b/testsuite/tar.tests
+@@ -279,7 +279,7 @@ optional UUDECODE FEATURE_TAR_AUTODETECT FEATURE_SEAMLESS_BZ2
+ testing "tar does not extract into symlinks" "\
+ >>/tmp/passwd && uudecode -o input && tar xf input 2>&1 && rm passwd; cat /tmp/passwd; echo \$?
+ " "\
+-tar: skipping unsafe symlink to '/tmp/passwd' in archive, set EXTRACT_UNSAFE_SYMLINKS=1 to extract
++tar: can't create symlink 'passwd' to '/tmp/passwd'
+ 0
+ " \
+ "" "\
+@@ -299,7 +299,7 @@ optional UUDECODE FEATURE_TAR_AUTODETECT FEATURE_SEAMLESS_BZ2
+ testing "tar -k does not extract into symlinks" "\
+ >>/tmp/passwd && uudecode -o input && tar xf input -k 2>&1 && rm passwd; cat /tmp/passwd; echo \$?
+ " "\
+-tar: skipping unsafe symlink to '/tmp/passwd' in archive, set EXTRACT_UNSAFE_SYMLINKS=1 to extract
++tar: can't create symlink 'passwd' to '/tmp/passwd'
+ 0
+ " \
+ "" "\
+@@ -324,11 +324,11 @@ rm -rf etc usr
+ ' "\
+ etc/ssl/certs/3b2716e5.0
+ etc/ssl/certs/EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.pem
+-tar: skipping unsafe symlink to '/usr/share/ca-certificates/mozilla/EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.crt' in archive, set EXTRACT_UNSAFE_SYMLINKS=1 to extract
+ etc/ssl/certs/f80cc7f6.0
+ usr/share/ca-certificates/mozilla/EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.crt
+ 0
+ etc/ssl/certs/3b2716e5.0 -> EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.pem
++etc/ssl/certs/EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.pem -> /usr/share/ca-certificates/mozilla/EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.crt
+ etc/ssl/certs/f80cc7f6.0 -> EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.pem
+ " \
+ "" ""
+@@ -346,9 +346,9 @@ ls symlink/bb_test_evilfile
+ ' "\
+ anything.txt
+ symlink
+-tar: skipping unsafe symlink to '/tmp' in archive, set EXTRACT_UNSAFE_SYMLINKS=1 to extract
+ symlink/bb_test_evilfile
+-0
++tar: can't create symlink 'symlink' to '/tmp'
++1
+ ls: /tmp/bb_test_evilfile: No such file or directory
+ ls: bb_test_evilfile: No such file or directory
+ symlink/bb_test_evilfile
+--
+2.17.1
+
