Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
| Comment: | Fix the ".archive" command in the CLI (and the corresponding -A command-line option) so that it silently ignores filenames that contain "../" in their names. This prevents the "Zip Slip" attack. |
|---|---|
| Downloads: | Tarball | ZIP archive | SQL archive |
| Timelines: | family | ancestors | descendants | both | trunk |
| Files: | files | file ages | folders |
| SHA3-256: |
27291f2d7fd4dadf2ee9b9a7d1373158 |
| User & Date: | drh 2018-06-06 01:18:01 |
Context
|
2018-06-06
| ||
| 16:28 | Change sqlite3BtreeBeginTrans() to return the BTREE_SCHEMA_COOKIE, for a small speed improvement when starting new transactions. (check-in: a10662aa user: drh tags: trunk) | |
| 01:18 | Fix the ".archive" command in the CLI (and the corresponding -A command-line option) so that it silently ignores filenames that contain "../" in their names. This prevents the "Zip Slip" attack. (check-in: 27291f2d user: drh tags: trunk) | |
|
2018-06-05
| ||
| 23:51 | Update the version number to 3.25.0 for the next development cycle. (check-in: 7598236c user: drh tags: trunk) | |
Changes
Changes to src/shell.c.in.
| ︙ | ︙ | |||
5280 5281 5282 5283 5284 5285 5286 |
** Implementation of .ar "eXtract" command.
*/
static int arExtractCommand(ArCommand *pAr){
const char *zSql1 =
"SELECT "
" ($dir || name),"
" writefile(($dir || name), %s, mode, mtime) "
| | > | 5280 5281 5282 5283 5284 5285 5286 5287 5288 5289 5290 5291 5292 5293 5294 5295 |
** Implementation of .ar "eXtract" command.
*/
static int arExtractCommand(ArCommand *pAr){
const char *zSql1 =
"SELECT "
" ($dir || name),"
" writefile(($dir || name), %s, mode, mtime) "
"FROM %s WHERE (%s) AND (data IS NULL OR $dirOnly = 0)"
" AND name NOT GLOB '*..[/\\]*'";
const char *azExtraArg[] = {
"sqlar_uncompress(data, sz)",
"data"
};
sqlite3_stmt *pSql = 0;
|
| ︙ | ︙ |