We backported one recent hardening of Archive_Tar in #3195939: hardening of destructor in Archive_Tar but a few other changes have been made recently which D7 is now out-of-sync with.
Note that this is not a security release - see: #3211037: Inaccurate github security advisory re Archive_Tar and CVE-2020-36193.
diff the 1.4.13 release of Archive_Tar's Tar.php with D7's current system.tar.inc
Bring system.tar.inc up-to-date with all upstream changes.
There is one remaining whitespace only difference, but I think D7 has the correct indentation. I'll file a follow-up with Archive_Tar to fix that upstream.
None.
Legitimate symlinks within archives will be allowed again, but only if the appropriate option is passed to Archive_Tar's methods. Core doesn't do this so symlinks are not allowed in core's direct use of the class.
None.
Not sure we need one.
| Comment | File | Size | Author |
|---|---|---|---|
| #2 | 3211204-2.patch | 4.57 KB | mcdruid |
Comments
Comment #2
mcdruid commentedSince filing #3102159: Add tests for Archive_Tar I have actually discovered that there is some test coverage for Archive_Tar in D7.
\UpdateTestUploadCase::testUploadModule()exercises it to extract a test module archive (which is the main thing that core uses this for), so that would fail if the class was totally broken.I have some more tests written which I'll add in the aforementioned issue.
Comment #3
poker10 commentedThanks for working on this. I think all of these changes were included and fixed in #3247738: sync system.tar.inc with Archive_Tar 1.4.14 and https://www.drupal.org/sa-core-2021-004, so closing this.