450134 – Opening an archive containing a directory with a name ending in ".." fails with an error message.

Bug 450134 - Opening an archive containing a directory with a name ending in ".." fails with an error message.

Summary: Opening an archive containing a directory with a name ending in ".." fails wi...

Status:	RESOLVED FIXED

Alias:	None

Product:	ark
Classification:	Applications
Component:	general (other bugs)
Version First Reported In:	20.12.2
Platform:	Kubuntu Linux

Importance:	NOR normal
Target Milestone:	---
Assignee:	Elvis Angelaccio

URL:
Keywords:

Depends on:
Blocks:

Reported:	2022-02-13 08:41 UTC by deepfriedice
Modified:	2022-04-14 22:55 UTC (History)
CC List:	4 users (show)

See Also:
Latest Commit:	https://invent.kde.org/utilities/ark/commit/71473ab372696a835e37bf11c7ac37f3e612b553
Version Fixed/Implemented In:
Sentry Crash Report:

Attachments
Example failing file. (10.00 KB, application/x-tar) 2022-02-13 08:41 UTC, deepfriedice	Details
View All Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description deepfriedice 2022-02-13 08:41:04 UTC

Created attachment 146659 [details]
Example failing file.

SUMMARY
Opening an archive containing a directory with a name ending in ".." fails with an error message.

STEPS TO REPRODUCE
1. mkdir 'test..'
2. touch 'test../foo'
3. tar -cf 'test.tar' 'test..'
4. ark 'test.tar'

OBSERVED RESULT
The message: 'ark.kerfuffle: Possibly malicious archive. Detected entry that could lead to a directory traversal attack: "test../foo"' is printed on stdout.
An Ark window is shown, containing the error message: ''Loading the archive <REMOVED>/test.tar failed with the following error:
Could not load the archive because it contains ill-formed entries and might be a malicious archive.".

EXPECTED RESULT
The archive contents are shown in the window normally.

SOFTWARE/OS VERSIONS
Operating System: Kubuntu 20.04
KDE Plasma Version: 5.18.5
KDE Frameworks Version: 5.68.0
Qt Version: 5.12.8
Kernel Version: 5.4.0-96-generic
OS Type: 64-bit

ADDITIONAL INFORMATION
This appears to be be caused by: https://invent.kde.org/utilities/ark/-/blob/master/kerfuffle/jobs.cpp#L164
I believe this code is intended to prevent directory traversal attacks by detecting if the archive contains any directory named "..". However, it actually detects if any directory name ends with "..".

Comment 1 Szymon Rutkowski 2022-02-21 22:18:11 UTC

Can confirm the issue on a newer version (20.12.2). The example file extracts with no problem with "tar -xf test.tar", so it seems a reasonable expectation that it would work.

Thanks for reporting. As you were able to find the likely cause in the code, be aware that a submitting patch to Ark would probably be welcome: https://community.kde.org/Get_Involved/development

Comment 2 Albert Astals Cid 2022-04-04 22:14:30 UTC

https://invent.kde.org/utilities/ark/-/merge_requests/112

Comment 3 Albert Astals Cid 2022-04-14 22:55:25 UTC

Git commit 71473ab372696a835e37bf11c7ac37f3e612b553 by Albert Astals Cid.
Committed on 14/04/2022 at 22:53.
Pushed by aacid into branch 'release/22.04'.

Relax protection against ../ on the file path

It should only be problematic if ../ is first on the path or if there's
a full /../ on the path. Having a ../ not at the beginning just means
that there's a folder that ends in ".." Weird but not wrong

M  +2    -1    kerfuffle/jobs.cpp

https://invent.kde.org/utilities/ark/commit/71473ab372696a835e37bf11c7ac37f3e612b553