1. 29 Jul, 2020 1 commit
    • Elvis Angelaccio's avatar
      Fix vulnerability to path traversal attacks · 0df59252
      Elvis Angelaccio authored
      Ark was vulnerable to directory traversal attacks because of
      missing validation of file paths in the archive.
      
      More details about this attack are available at:
      https://github.com/snyk/zip-slip-vulnerability
      
      Job::onEntry() is the only place where we can safely check the path of
      every entry in the archive. There shouldn't be a valid reason
      to have a "../" in an archive path, so we can just play safe and abort
      the LoadJob if we detect such an entry. This makes impossibile to
      extract this kind of malicious archives and perform the attack.
      
      Thanks to Albert Astals Cid for suggesting to use QDir::cleanPath()
      so that we can still allow loading of legitimate archives that
      contain "../" in their paths but still resolve inside the extraction folder.
      0df59252
  2. 22 Jul, 2020 1 commit
  3. 11 Jul, 2020 2 commits
  4. 10 Jul, 2020 2 commits
  5. 03 Jul, 2020 3 commits
  6. 18 Jun, 2020 4 commits
  7. 17 Jun, 2020 4 commits
  8. 14 Jun, 2020 1 commit
  9. 13 Jun, 2020 1 commit
  10. 08 Jun, 2020 3 commits
  11. 02 Jun, 2020 2 commits
  12. 21 May, 2020 1 commit
  13. 17 May, 2020 1 commit
  14. 11 May, 2020 4 commits
  15. 04 May, 2020 1 commit
    • Ragnar Thomsen's avatar
      libarchive: Improve error-handling when loading archive · b47c5346
      Ragnar Thomsen authored
      Improves error-handling in LibarchivePlugin::list().
      
      Previously we only checked whether we could read until the end of the
      archive, and even if we couldn't there was no error shown to the user.
      Now we check the return value of both archive_read_next_header() and
      archive_read_data_skip(), and show a corrupt archive query if either
      was not successful.
      
      This partially solves bug 411074, as Ark now at least gives a warning
      when opening a corrupt archive with libarchiveplugin. We still need to
      improve error-handling when extracting, but this requires some
      refactoring first so will be done later.
      CCBUG: 411074
      Differential Revision: D29383
      b47c5346
  16. 27 Apr, 2020 2 commits
  17. 26 Apr, 2020 1 commit
  18. 15 Apr, 2020 3 commits
  19. 12 Apr, 2020 3 commits
    • Nicolas Fella's avatar
      Optimize LoadJob::onNewEntry · 8d6ba3d3
      Nicolas Fella authored
      Summary: Same observation and resolution as in D25565
      
      Test Plan: Verified performance gain with hotspot
      
      Reviewers: #ark, rthomsen
      
      Reviewed By: #ark, rthomsen
      
      Subscribers: rthomsen, dakon, kde-utils-devel
      
      Tags: #ark
      
      Differential Revision: https://phabricator.kde.org/D26356
      8d6ba3d3
    • Ragnar Thomsen's avatar
      Merge branch 'release/20.04' · 1e2af928
      Ragnar Thomsen authored
      * release/20.04:
        Forward errors from archive interface when batch-extracting
        libzip: Enable progress when batch-extracting
        Revert "Make it compile against last qt5.15 without deprecated method"
        GIT_SILENT made messages (after extraction)
        SVN_SILENT made messages (.desktop file) - always resolve ours
        GIT_SILENT Upgrade release service version to 20.03.90.
        libarchive backend: display permissions in octal format
        GIT_SILENT Upgrade release service version to 20.03.80.
      1e2af928
    • Ragnar Thomsen's avatar
      Forward errors from archive interface when batch-extracting · eeee61d2
      Ragnar Thomsen authored
      Errors from ExtractJob are not handled when called as a subjob of
      BatchExtractJob. This can result in silently failing extractions.
      
      CCBUG: 387996
      Differential Revision: D28721
      eeee61d2