Skip to content

cli: strip path separators from extracted binary tag filenames#258

Merged
dbry merged 1 commit into
dbry:masterfrom
aizu-m:binary-tag-extract-path-traversal
Jul 14, 2026
Merged

cli: strip path separators from extracted binary tag filenames#258
dbry merged 1 commit into
dbry:masterfrom
aizu-m:binary-tag-extract-path-traversal

Conversation

@aizu-m

@aizu-m aizu-m commented Jul 12, 2026

Copy link
Copy Markdown
Contributor

Extracting a binary tag item to a file (cover art, wvunpack -xx "Field=%t") names the output after the item's embedded filename. That name is untrusted: it is the tag value bytes up to the first NUL, straight from the .wv/APEv2 tag. dump_tag_item_to_file() runs it through filespec_name() first, but filespec_name() only removes the platform's native separator:

embedded name:  ../../../../../ab.jpg
filespec_name(), _WIN32 build  ->  ../../../../../ab.jpg
filespec_name(), POSIX build   ->  ab.jpg

Windows treats both / and \ as separators, so on Windows a forward-slash name passes through unchanged and reaches fopen() as the output name, writing the file above the target directory. POSIX has the mirror gap: an embedded \ survives (harmless there, but it is the same routine). I found it by crafting a cover-art tag whose embedded name held separators and watching where the extracted file landed.

Reduce the embedded name to its final component, checking both separators, before it becomes the output name. Normal filenames are unaffected. wvtag keeps an identical copy of the function and is fixed the same way.

@dbry dbry merged commit 89762c4 into dbry:master Jul 14, 2026
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants