- 25 Mar, 2021 1 commit
-
-
Ondrej Holy authored
The CVE number for #12 has been assigned after the release, so it is not part of the NEWS file. Let's add the CVE number additionaly at least.
-
- 13 Mar, 2021 1 commit
-
-
Ondrej Holy authored
-
- 12 Mar, 2021 21 commits
-
-
Ondrej Holy authored
(Malicious) archives can have entries with symlink in parents. Archives entries can have absolute paths, or relative paths that points outside of the destination. Let's add test to ensure that extraction fails with error for symlinks in parents and tests to verify that malformed paths are correctly sanitized and not written outside.
-
Ondrej Holy authored
(Malicious) archives can have malformed paths with `..` segments so they point outside of the destination. The `autoar_extractor_do_sanitize_pathname` function already sanitizes those paths to be inside of the destination, however, the code from `autoar_extractor_step_decide_destination` operates on paths, which are not yet sanitized and fails with the following criticals: `g_file_resolve_relative_path: assertion 'relative_path != NULL' failed`. Let's use the `autoar_extractor_do_sanitize_pathname` also here to fix this criticals.
-
Ondrej Holy authored
Currently, it is still possible that some files are extracted outside of the destination dir in case of malicious archives. The checks from commit adb067e6 can be still bypassed in certain cases. See file-roller#108 for more details. After some investigation, I am convinced that it would be best to simply disallow symlinks in parents. For example, `tar` fails to extract such files with the `ENOTDIR` error. Let's do the same here. Fixes: #12
-
Ondrej Holy authored
This reverts commit adb067e6.
-
Ondrej Holy authored
This reverts commit cc4e8b7c.
-
Ondrej Holy authored
In case of conflict, when skipping some file, the `total_size` and `total_files` is not updated, but neither `completed_files` and `completed_size`. Let's reduce the `total_size` and `total_files`. Same approach is used in Nautilus when skipping.
-
Ondrej Holy authored
The symlink, or hardline should be rewriten itself, not its target. Let's add tests to verify this.
-
Ondrej Holy authored
Currently, symlinks are followed when detecting conflicts. But this is not desired as the original file caused the conflict, not its target.
-
Ondrej Holy authored
To be honest, it is not really clear to me what is purpose of this test. As per the name, it should verify that error is returned when overwriting file over directory. However, I think that it is totally fine to overwrite empty directory. Anyway, the overwrite action is not explicitely chosen, so the skip action is used instead. Consequently, the test verifies that `error` is not set. So it looks to me that the test is tottaly wrong. Let's modify and rename the test, so it really checks that error is returned when somebody tries to overwrite non-empty directory.
-
Ondrej Holy authored
Current logic doesn't detect conflics when extracting directory. This is ok, but only for the case when the conflic is caused by directory. Otherwise, the conflic should be detected and AutoarExtractor should try to delete the file before creating new directory.
-
Ondrej Holy authored
Currently, `g_file_replace` is used to write files. However, it uses `G_FILE_CREATE_NONE` which keeps old permissions. It should rather use `G_FILE_CREATE_REPLACE_DESTINATION` instead to not keep any old permissions as it is among others used by File Roller. However, there is bug in `G_FILE_CREATE_REPLACE_DESTINATION` implementaion, see glib#2325. Let's explicitely delete that file and use `g_file_create` instead. This will also fix problems when overwriting file by directory and ensures that hardlinks will be replaced and not just modified.
-
Ondrej Holy authored
From the code, it was not really clear what is the default action for conflicts. Let's add test which verifies that conflicting files are skipped by default.
-
Ondrej Holy authored
The tests for conflicts contains several bugs and also are not able to distingues between skip and overwrite actions. Let's modify the test so they can really verify whether the files are skipped, or overwritten.
-
Ondrej Holy authored
The test for conflict contains `test-one-file-` prefix which doesn't make much sense here and just makes the name too long. Let's use just `test-` prefix instead.
-
Ondrej Holy authored
The `AUTOAR_CONFLICT_OVERWRITE` is set as default value for the action variable when conflict occured. However, `g_signal_emit` clears that variable to `0` if the signal is unhandled. But `0` is currently mapped to `AUTOAR_CONFLICT_SKIP`. So the code is a little bit confusing. I think that overwrite is the right thing in most cases and also this is the default behavior of `tar` as an archive may contain several versions of some file and the last one is the newest. However, gnome-autoar allows extraction in the non-empty folders and has conflict API, so it would be really safer to use the skip action by default. Let's add the `AUTOAR_CONFLICT_UNHANDLED` action for better control and use the `AUTOAR_CONFLICT_SKIP` action by default.
-
Ondrej Holy authored
A test for the `output-is-dest` property is missing currently. Let's add one to be sure that extra directory is not created for an archive with a file with a different name.
-
Ondrej Holy authored
If the `output-is-dest` property is `TRUE`, the `prefix` is not cleared and is passed to `decide-destination` signal. This looks unexpected because it allows to change even the prefix which doesn't match archive name, which is not allowed even if `output-is-dest` is `FALSE`. I am conviced that it should not be allowed to change the `prefix` at all in this case. Let's clear the `prefix` variable to avoid that.
-
Ondrej Holy authored
At the beginning, the file list is printed in the debug output. However, it doesn't contain targets of symlinks and hardlinks. Let's print them as well. Also print symlink target when writing it on the disk similary to hardlinks.
-
Ondrej Holy authored
`g_file_make_directory_with_parents` is called to create `self->destination_dir` directory before extraction. However, the files may be written to completely different dir later if the they have common prefix and the prefix is consequently changed over `decide-destination` signal. Let's use `self->prefix_new` if it is set to prevent creation of unrelated directories.
-
Ondrej Holy authored
The returned value from `g_file_get_path` is not consequently freed. Let's use `g_file_peek_path` instead to fix the leak.
-
Ondrej Holy authored
The documentation refers to non-existing functions and properties. It also contains misleading info about behavior of some functions, or their parameters. Let's try to make the documentation clearer. This also fixes some typos.
-
- 09 Mar, 2021 1 commit
-
-
Ondrej Holy authored
Recursive delete has been added by commit 58ac8fc5 to remove already created directories when extraction fails because of an invalid password. In fact, it deletes the whole `destination_dir` also in case of other failures, which is maybe not the best approach, but ok. However, a problem is that gnome-autoar allows extraction in non-empty destination, so this might remove also files which were not initially created by gnome-autoar. Fortunately, nautilus and gnome-shell currently always extracts in an extra directory. But what is worse is the fact, that if the files in the archive have a common prefix, then the `destination_dir` is actually a parent of that extra directory in the case of nautilus and gnome-shell (but API allows to set completely unrelated path)! So this can easily cause huge data loss! It would probably be better to create parent directories only when `archive_read_data_block` succeeds instead of deleting them later. Alternatively, gnome-autoar could track which files were written and deletes just those on that list. But for now, let's just remove the code for recursive delete and do not care about leftover files...
-
- 05 Mar, 2021 1 commit
-
- 12 Feb, 2021 5 commits
-
-
Ondrej Holy authored
-
Ondrej Holy authored
Currently, it is not possible to extract archives that don't explicitly contain parent folders. This is unintentional regression caused by commit adb067e6. Let's simply ignore G_IO_ERROR_NOT_FOUND errors when looking for symlinks to fix this. Fixes: https://gitlab.gnome.org/GNOME/gnome-autoar/-/issues/11
-
Hernawan Faïz Abdillah authored
It's auto-indented might be due to the comment above it.
-
Hernawan Faïz Abdillah authored
The application/x-gzip is already covered by its alias application/gzip.
-
Hernawan Faïz Abdillah authored
Autoar can't detect archive with non-standard unsupported content type that actually an alias of existing type supported. To avoid listing all those alias, instead, we check for similar type through g_content_type_equals. Fixes #8
-
- 11 Feb, 2021 1 commit
-
-
Felipe Borges authored
AutoarExtractor used to error out when libarchived reported an archive entry to be encrypted. We now emit a "passphrase-requested" signal that clients can connect to return a single passphrase string which libarchive will attempt to use to decrypt the files. For an empty or invalid password, AutoarExtrator will emit its "error" signal and cleanup the destinatination directory. Although libarchive supports different password for each item, this implementation assumes the same password for all entries in a given archive. Single password per archive seems to be the most common use-case for regular desktop end users. See nautilus#327 Fixes #1
-
- 09 Feb, 2021 4 commits
-
-
Peter Keresztes Schmidt authored
-
Peter Keresztes Schmidt authored
Rename the function parameter of autoar_extractor_set_delete_after_extraction so it matches the name of the property it sets.
-
Peter Keresztes Schmidt authored
-
Peter Keresztes Schmidt authored
Following compile warnings showed up when link, mkfifo and mklink weren't defined: ../gnome-autoar/autoar-extractor.c: In function ‘autoar_extractor_do_write_entry’: ../gnome-autoar/autoar-extractor.c:993:17: warning: unused variable ‘uname’ [-Wunused-variable] 993 | const char *uname; | ^~~~~ ../gnome-autoar/autoar-extractor.c:1022:17: warning: unused variable ‘gname’ [-Wunused-variable] 1022 | const char *gname; | ^~~~~ ../gnome-autoar/autoar-extractor.c:1237:1: warning: label ‘applyinfo’ defined but not used [-Wunused-label] 1237 | applyinfo: | ^~~~~~~~~ ../gnome-autoar/autoar-extractor.c:941:7: warning: variable ‘r’ set but not used [-Wunused-but-set-variable] 941 | int r; | ^
-
- 04 Feb, 2021 1 commit
-
-
Ondrej Holy authored
Currently, a malicious archive can cause that the files are extracted outside of the destination dir. This can happen if the archive contains a file whose parent is a symbolic link, which points outside of the destination dir. This is potentially a security threat similar to CVE-2020-11736. Let's skip such problematic files when extracting. Fixes: #7
-
- 03 Feb, 2021 1 commit
-
-
Ondrej Holy authored
This project is crucial for Nautilus, but it is obviously unmaintained currently. I took over Nautilus maintainership from Carlos. So I hope it doesn't mind to take over gnome-autoar as well.
-
- 19 Mar, 2019 1 commit
-
-
Carlos Soriano authored
-
- 09 Feb, 2019 1 commit
-
-
- 25 Feb, 2018 1 commit
-
-
Carlos Soriano Sánchez authored
-