Allow the --output option of the "ar" prorgam to extract files to locations outside...

	* ar.c (open_output_file): Check for filename validity before
	prefixing with output directory.
	Display the constructed output filename if in verbose mode.
	(extract_file): Let open_output_file display the filename.

diff --git a/binutils/ChangeLog b/binutils/ChangeLog
index fb1a99d5ae41c056d661f8806e4f954ad307fcdf..06823b27ab2a210a6f6186d21e156e39e385c80c 100644 (file)
--- a/binutils/ChangeLog
+++ b/binutils/ChangeLog
@@ -1,3 +1,10 @@
+2019-11-07  Nick Clifton  <nickc@redhat.com>
+
+       * ar.c (open_output_file): Check for filename validity before
+       prefixing with output directory.
+       Display the constructed output filename if in verbose mode.
+       (extract_file): Let open_output_file display the filename.
+
 2019-11-07  Nick Clifton  <nickc@redhat.com>
 
        * objcopy.c (copy_object): Skip note sections that do not have

diff --git a/binutils/ar.c b/binutils/ar.c
index 0af7954a47a2574f6a7cddac6454abe6f77b3bf4..b8342ce65a1b530cff68e3287e706ba13988b593 100644 (file)
--- a/binutils/ar.c
+++ b/binutils/ar.c
@@ -1070,6 +1070,18 @@ open_output_file (bfd * abfd)
 {
   output_filename = bfd_get_filename (abfd);
 
+  /* PR binutils/17533: Do not allow directory traversal
+     outside of the current directory tree - unless the
+     user has explicitly specified an output directory.  */
+  if (! is_valid_archive_path (output_filename))
+    {
+      char * base = (char *) lbasename (output_filename);
+
+      non_fatal (_("illegal output pathname for archive member: %s, using '%s' instead"),
+                output_filename, base);
+      output_filename = base;
+    }
+  
   if (output_dir)
     {
       size_t len = strlen (output_dir);
@@ -1083,18 +1095,10 @@ open_output_file (bfd * abfd)
            output_filename = concat (output_dir, "/", output_filename, NULL);
        }
     }
-    
-  /* PR binutils/17533: Do not allow directory traversal
-     outside of the current directory tree.  */
-  if (! is_valid_archive_path (output_filename))
-    {
-      char * base = (char *) lbasename (output_filename);
-
-      non_fatal (_("illegal output pathname for archive member: %s, using '%s' instead"),
-                output_filename, base);
-      output_filename = base;
-    }
 
+  if (verbose)
+    printf ("x - %s\n", output_filename);
+  
   FILE * ostream = fopen (output_filename, FOPEN_WB);
   if (ostream == NULL)
     {
@@ -1126,9 +1130,6 @@ extract_file (bfd *abfd)
     fatal (_("internal stat error on %s"), bfd_get_filename (abfd));
   size = buf.st_size;
 
-  if (verbose)
-    printf ("x - %s\n", bfd_get_filename (abfd));
-
   bfd_seek (abfd, (file_ptr) 0, SEEK_SET);
 
   output_file = NULL;

diff --git a/binutils/doc/binutils.texi b/binutils/doc/binutils.texi
index 2a86b92033af83230f541c0a515111bb3623ed0f..11de2d3deb7977c826b8f35634b64badfab483ca 100644 (file)
--- a/binutils/doc/binutils.texi
+++ b/binutils/doc/binutils.texi
@@ -390,7 +390,9 @@ are extracted.
 Files cannot be extracted from a thin archive, and there are
 restrictions on extracting from archives created with @option{P}: The
 paths must not be absolute, may not contain @code{..}, and any
-subdirectories in the paths must exist.
+subdirectories in the paths must exist.  If it is desired to avoid
+these restrictions then used the @option{--output} option to specify
+an output directory.
 @end table
 
 A number of modifiers (@var{mod}) may immediately follow the @var{p}
@@ -589,11 +591,6 @@ Note - although the presence of this option does imply a @option{x}
 extraction operation that option must still be included on the command
 line.
 
-Note - using this option does not allow archive members to be
-extracted to locations outside of the current directory, or one of its 
-sub-directories.  This is a security feature to prevent archives
-created with the @option{P} option from maliciously overwriting user
-files.
 @end table
 @c man end