SQLite

Check-in [27291f2d]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Fix the ".archive" command in the CLI (and the corresponding -A command-line option) so that it silently ignores filenames that contain "../" in their names. This prevents the "Zip Slip" attack.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA3-256: 27291f2d7fd4dadf2ee9b9a7d1373158cadfbaf83c3654b00d7030dc921770c6
User & Date: drh 2018-06-06 01:18:01
Context
2018-06-06
16:28
Change sqlite3BtreeBeginTrans() to return the BTREE_SCHEMA_COOKIE, for a small speed improvement when starting new transactions. (check-in: a10662aa user: drh tags: trunk)
01:18
Fix the ".archive" command in the CLI (and the corresponding -A command-line option) so that it silently ignores filenames that contain "../" in their names. This prevents the "Zip Slip" attack. (check-in: 27291f2d user: drh tags: trunk)
2018-06-05
23:51
Update the version number to 3.25.0 for the next development cycle. (check-in: 7598236c user: drh tags: trunk)
Changes
Hide Diffs Unified Diffs Ignore Whitespace Patch

Changes to src/shell.c.in.

5280
5281
5282
5283
5284
5285
5286
5287

5288
5289
5290
5291
5292
5293
5294
** Implementation of .ar "eXtract" command. 
*/
static int arExtractCommand(ArCommand *pAr){
  const char *zSql1 = 
    "SELECT "
    " ($dir || name),"
    " writefile(($dir || name), %s, mode, mtime) "
    "FROM %s WHERE (%s) AND (data IS NULL OR $dirOnly = 0)";


  const char *azExtraArg[] = { 
    "sqlar_uncompress(data, sz)",
    "data"
  };

  sqlite3_stmt *pSql = 0;







|
>







5280
5281
5282
5283
5284
5285
5286
5287
5288
5289
5290
5291
5292
5293
5294
5295
** Implementation of .ar "eXtract" command. 
*/
static int arExtractCommand(ArCommand *pAr){
  const char *zSql1 = 
    "SELECT "
    " ($dir || name),"
    " writefile(($dir || name), %s, mode, mtime) "
    "FROM %s WHERE (%s) AND (data IS NULL OR $dirOnly = 0)"
    " AND name NOT GLOB '*..[/\\]*'";

  const char *azExtraArg[] = { 
    "sqlar_uncompress(data, sz)",
    "data"
  };

  sqlite3_stmt *pSql = 0;