Relative symlinks with parent folder reference inside archive are rejected as out-of-path
icedream opened this issue · comments
In this line an out-of-path check was introduced, which is supposed to make sure that symbolic links can not point to paths outside of the extracted archive.
This logic does not properly make sure that symbolic links can point upwards of a subfolder inside the archive, it will treat that symbolic link as pointing out-of-path. Example:
invalid -> ../some-path
vendor/bin/some-name -> ../name/name/script.php
vendor/name/name/script.php
Consider the above structure for an archive. While the symlink invalid
that points to a folder outside of the archive definitely should be rejected, as of right now the codebase would also reject the supposedly valid symlink vendor/bin/some-name
which actually points to vendor/name/name/script.php
inside the archive.
Already has been fixed with https://github.com/pear/Archive_Tar/releases/tag/1.4.13. I have found this to be an issue in another project still and forgot to check the newer versions, sorry about that.