Create new configure option for archival/libarchive based extractions to
disallow path traversals.
As this is a paranoid option and might introduce backward
incompatibility, default it to no.
Fixes: CVE-2023-39810
Based on the patch by Peter Kaestle <peter.kaestle@nokia.com>
function old new delta
data_extract_all 921 945 +24
strip_unsafe_prefix 101 102 +1
------------------------------------------------------------------------------
(add/remove: 0/0 grow/shrink: 2/0 up/down: 25/0) Total: 25 bytes
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
Commit 0068ce2fa (cut: add toybox-compatible options -O OUTSEP,
-D, -F LIST) added detection of reversed ranges. Further
improvements are possible.
- The test for reversed ranges compared the start after it had been
decremented with the end before decrement. It thus missed ranges
of the form 2-1.
- Zero isn't a valid start value for a range. (Nor is it a valid
end value, but that's caught by the test for a reversed range.)
- The code
if (!*ltok)
e = INT_MAX;
duplicates a check that's already been made.
- Display the actual range in the error message to make it easier
to find which range was at fault.
function old new delta
.rodata 100273 100287 +14
cut_main 1239 1237 -2
------------------------------------------------------------------------------
(add/remove: 0/0 grow/shrink: 1/1 up/down: 14/-2) Total: 12 bytes
Signed-off-by: Ron Yorston <rmy@pobox.com>
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
Using cut with the delimiter flag ("-d") with the "-s" flag to only
output lines containing the delimiter will print blank lines. This is
deviant behavior from cut provided by GNU Coreutils. Blank lines should
be omitted if "-s" is used with "-d".
This change introduces a somewhat naiive, yet efficient solution, where
line length is checked before looping though bytes. If line length is
zero and the "-s" flag is used, the code will jump to parsing the next
line to avoid printing a newline character.
function old new delta
cut_main 1196 1185 -11
Signed-off-by: Colin McAllister <colinmca242@gmail.com>
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
Fix bug introduced in busybox 1.37.0 that broke kernel builds.
Fixes commit e2287f99fe (od: for !DESKTOP, match output more closely
to GNU coreutils 9.1, implement -s)
function old new delta
rewrite 967 976 +9
Signed-off-by: Natanael Copa <ncopa@alpinelinux.org>
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
When text is inserted by insertLine() the lines following the
insertion are moved down and the insertion point is made the new
current line. To avoid too much scanning of the linked list of
lines setCurNum() may use the position of the old current line to
determine the location of the new current line.
If the insertion point is before the old current line in the file
the latter will have been moved down, so its line pointer needs to
be adjusted.
function old new delta
insertLine 162 180 +18
------------------------------------------------------------------------------
(add/remove: 0/0 grow/shrink: 1/0 up/down: 18/0) Total: 18 bytes
Signed-off-by: Ron Yorston <rmy@pobox.com>
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
Something is fishy with constrcts like "3==v=3" in gawk,
they should not work, but do. Ignore those for now.
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
Patch by M Rubon <rubonmtz@gmail.com>:
Busybox awk handles references to empty (not provided in the input)
fields differently during the first line of input, as compared to
subsequent lines.
$ (echo a ; echo b) | awk '$2 != 0' #wrong
b
No field $2 value is provided in the input. When awk references field
$2 for the "a" line, it is seen to have a different behaviour than
when it is referenced for the "b" line.
Problem in BusyBox v1.36.1 embedded in OpenWrt 23.05.0
Same problem also in 21.02 versions of OpenWrt
Same problem in BusyBox v1.37.0.git
I get the correct expected output from Ubuntu gawk and Debian mawk,
and from my fix.
will@dev:~$ (echo a ; echo b) | awk '$2 != 0' #correct
a
b
will@dev:~/busybox$ (echo a ; echo b ) | ./busybox awk '$2 != 0' #fixed
a
b
I built and poked into the source code at editors/awk.c The function
fsrealloc(int size) is core to allocating, initializing, reallocating,
and reinitializing fields, both real input line fields and imaginary
fields that the script references but do not exist in the input.
When fsrealloc() needs more field space than it has previously
allocated, it initializes those new fields differently than how they
are later reinitialized for the next input line. This works fine for
fields defined in the input, like $1, but does not work the first time
when there is no input for that field (e.g. field $99)
My one-line fix simply makes the initialization and clrvar()
reinitialization use the same value for .type. I am not sure if there
are regression tests to run, but I have not done those.
I'm not sure if I understand why clrvar() is not setting .type to a
default constant value, but in any case I have left that untouched.
function old new delta
------------------------------------------------------------------------------
(add/remove: 0/0 grow/shrink: 0/0 up/down: 0/0) Total: 0 bytes
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
Add option to change the running directory before starting the process.
This can be done using -d or --chdir options. Add also test cases to
start-stop-daemon to test out the directory change option.
function old new delta
packed_usage 34602 34648 +46
start_stop_daemon_main 1107 1130 +23
start_stop_daemon_longopts 156 164 +8
.rodata 105382 105384 +2
------------------------------------------------------------------------------
(add/remove: 0/0 grow/shrink: 4/0 up/down: 79/0) Total: 79 bytes
Signed-off-by: ejaaskel <esa.jaaskela@suomi24.fi>
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
* Added tests for od (non-DESKTOP little-endian)
* Allow 'optional' to invert meaning of a config option with '!'
Signed-off-by: David Leonard <d+busybox@adaptive-enterprises.com>
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
https://pubs.opengroup.org/onlinepubs/9699919799/utilities/find.html
-ok utility_name [argument ...] ;
The -ok primary shall be equivalent to -exec, except that the use
of a <plus-sign> to punctuate the end of the primary expression
need not be supported, and find shall request affirmation of the
invocation of utility_name using the current file as an argument
by writing to standard error as described in the STDERR section. If
the response on standard input is affirmative, the utility shall be
invoked. Otherwise, the command shall not be invoked and the value
of the -ok operand shall be false.
function old new delta
do_exec 438 517 +79
parse_params 1833 1845 +12
static.params 288 292 +4
.rodata 100771 100775 +4
packed_usage 34543 34541 -2
------------------------------------------------------------------------------
(add/remove: 0/0 grow/shrink: 4/1 up/down: 99/-2) Total: 97 bytes
Signed-off-by: David Leonard <d+busybox@adaptive-enterprises.com>
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
fixes https://bugs.busybox.net/show_bug.cgi?id=14781
function old new delta
evaluate 3343 3357 +14
Signed-off-by: Natanael Copa <ncopa@alpinelinux.org>
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
