From b5acf1e9254080c2f283c623f59e412cdb29939a Mon Sep 17 00:00:00 2001
From: Nick White <git@njw.name>
Date: Mon, 27 Apr 2015 12:25:44 +0100
Subject: [PATCH 1/2] Strip dangerous path traversal stuff from paths

Specifically, this removes '../' from anywhere in a path, and any
number of '/' at the start of a path
---
 tar.c | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/tar.c b/tar.c
index b1f3b27..0bd3fcf 100644
--- a/tar.c
+++ b/tar.c
@@ -359,6 +359,27 @@ sanitize(struct header *h)
 }
 
 static void
+sanitizepath(char *p)
+{
+	size_t l;
+	char *s;
+
+	/* Strip leading '/' characters */
+	while(*p == '/') {
+		l = strlen(p);
+		memmove(p, p+1, l - 1);
+		*(p + l - 1) = '\0';
+	}
+
+	/* Strip '../' from anywhere */
+	while((s = strstr(p, "../")) != NULL) {
+		l = strlen(s);
+		memmove(s, s + 3, l - 3);
+		*(s + l - 3) = '\0';
+	}
+}
+
+static void
 chktar(struct header *h)
 {
 	char tmp[8], *err;
@@ -407,6 +428,7 @@ xt(int argc, char *argv[], int (*fn)(char *, ssize_t, char[BLKSIZ]))
 			             (int)sizeof(h->prefix), h->prefix);
 		snprintf(fname + n, sizeof(fname) - n, "%.*s",
 		         (int)sizeof(h->name), h->name);
+		sanitizepath(fname);
 
 		if ((size = strtol(h->size, &p, 8)) < 0 || *p != '\0')
 			eprintf("strtol %s: invalid number\n", h->size);
-- 
2.1.4