Bug 450134

Summary: Opening an archive containing a directory with a name ending in ".." fails with an error message.
Product: [Applications] ark Reporter: deepfriedice
Component: generalAssignee: Elvis Angelaccio <elvis.angelaccio>
Status: RESOLVED FIXED    
Severity: normal CC: aacid, nate, rthomsen6, sz.rutkowski
Priority: NOR    
Version First Reported In: 20.12.2   
Target Milestone: ---   
Platform: Kubuntu   
OS: Linux   
Latest Commit: https://invent.kde.org/utilities/ark/commit/71473ab372696a835e37bf11c7ac37f3e612b553 Version Fixed/Implemented In:
Sentry Crash Report:
Attachments: Example failing file.

Description deepfriedice 2022-02-13 08:41:04 UTC 
Created attachment 146659 [details]
Example failing file.

SUMMARY
Opening an archive containing a directory with a name ending in ".." fails with an error message.

STEPS TO REPRODUCE
1. mkdir 'test..'
2. touch 'test../foo'
3. tar -cf 'test.tar' 'test..'
4. ark 'test.tar'

OBSERVED RESULT
The message: 'ark.kerfuffle: Possibly malicious archive. Detected entry that could lead to a directory traversal attack: "test../foo"' is printed on stdout.
An Ark window is shown, containing the error message: ''Loading the archive <REMOVED>/test.tar failed with the following error:
Could not load the archive because it contains ill-formed entries and might be a malicious archive.".

EXPECTED RESULT
The archive contents are shown in the window normally.

SOFTWARE/OS VERSIONS
Operating System: Kubuntu 20.04
KDE Plasma Version: 5.18.5
KDE Frameworks Version: 5.68.0
Qt Version: 5.12.8
Kernel Version: 5.4.0-96-generic
OS Type: 64-bit

ADDITIONAL INFORMATION
This appears to be be caused by: https://invent.kde.org/utilities/ark/-/blob/master/kerfuffle/jobs.cpp#L164
I believe this code is intended to prevent directory traversal attacks by detecting if the archive contains any directory named "..". However, it actually detects if any directory name ends with "..".
Comment 1 Szymon Rutkowski 2022-02-21 22:18:11 UTC 
Can confirm the issue on a newer version (20.12.2). The example file extracts with no problem with "tar -xf test.tar", so it seems a reasonable expectation that it would work.

Thanks for reporting. As you were able to find the likely cause in the code, be aware that a submitting patch to Ark would probably be welcome: https://community.kde.org/Get_Involved/development
Comment 2 Albert Astals Cid 2022-04-04 22:14:30 UTC 
https://invent.kde.org/utilities/ark/-/merge_requests/112
Comment 3 Albert Astals Cid 2022-04-14 22:55:25 UTC 
Git commit 71473ab372696a835e37bf11c7ac37f3e612b553 by Albert Astals Cid.
Committed on 14/04/2022 at 22:53.
Pushed by aacid into branch 'release/22.04'.

Relax protection against ../ on the file path

It should only be problematic if ../ is first on the path or if there's
a full /../ on the path. Having a ../ not at the beginning just means
that there's a folder that ends in ".." Weird but not wrong

M  +2    -1    kerfuffle/jobs.cpp

https://invent.kde.org/utilities/ark/commit/71473ab372696a835e37bf11c7ac37f3e612b553