libarchive: Skip files with symlinks in parents
Currently, it is still possible that some files are extracted outside of the destination dir in case of malicious archives. The checks from commit 21dfcdbf can be still bypassed in certain cases. See GNOME/file-roller#108 for more details. After some investigation, I am convinced that it would be best to simply disallow symlinks in parents. For example, `tar` fails to extract such files with the `ENOTDIR` error. Let's do the same here. Fixes: https://gitlab.gnome.org/GNOME/file-roller/-/issues/108
parent
88376604
Please register or sign in to comment