Problem/Motivation
We backported one recent hardening of Archive_Tar in #3195939: hardening of destructor in Archive_Tar but a few other changes have been made recently which D7 is now out-of-sync with.
Note that this is not a security release - see: #3211037: Inaccurate github security advisory re Archive_Tar and CVE-2020-36193.
Steps to reproduce
diff the 1.4.13 release of Archive_Tar's Tar.php with D7's current system.tar.inc
Proposed resolution
Bring system.tar.inc up-to-date with all upstream changes.
Remaining tasks
There is one remaining whitespace only difference, but I think D7 has the correct indentation. I'll file a follow-up with Archive_Tar to fix that upstream.
User interface changes
None.
API changes
Legitimate symlinks within archives will be allowed again, but only if the appropriate option is passed to Archive_Tar's methods. Core doesn't do this so symlinks are not allowed in core's direct use of the class.
Data model changes
None.
Release notes snippet
Not sure we need one.
Comment | File | Size | Author |
---|---|---|---|
#2 | 3211204-2.patch | 4.57 KB | mcdruid |
Comments
Comment #2
mcdruidSince filing #3102159: Add tests for Archive_Tar I have actually discovered that there is some test coverage for Archive_Tar in D7.
\UpdateTestUploadCase::testUploadModule()
exercises it to extract a test module archive (which is the main thing that core uses this for), so that would fail if the class was totally broken.I have some more tests written which I'll add in the aforementioned issue.
Comment #3
poker10 CreditAttribution: poker10 at ActivIT s.r.o. commentedThanks for working on this. I think all of these changes were included and fixed in #3247738: sync system.tar.inc with Archive_Tar 1.4.14 and https://www.drupal.org/sa-core-2021-004, so closing this.