Origin: https://github.com/drupal/drupal/commit/6435c5fabba53d2275c4ce7c889ad2bb1d49dff7
Forwarded: not-needed
From: larowlan, drumm, mlhess, mcdruid, xjm
Date: Thu 26 Nov 12:36:40 AM CST 2020
Subject: Fixes for SA-CORE-2020-013
 Backported the diff between 7.74 and 7.75, applying it to the version in the
 old-stable Debian release (7.52)
 .
 SA-CORE-2020-013 (CVE not yet issued) deals with remote code execution due to
 insecure :// handling in the Archive_Tar library.
Index: drupal7/modules/system/system.tar.inc
===================================================================
--- drupal7.orig/modules/system/system.tar.inc
+++ drupal7/modules/system/system.tar.inc
@@ -1792,7 +1792,7 @@ class Archive_Tar
 
         // ----- Extract the properties
         $v_header['filename'] = rtrim($v_data['filename'], "\0");
-        if ($this->_maliciousFilename($v_header['filename'])) {
+        if ($this->_isMaliciousFilename($v_header['filename'])) {
             $this->_error(
                 'Malicious .tar detected, file "' . $v_header['filename'] .
                 '" will not install in desired directory tree'
@@ -1828,9 +1828,9 @@ class Archive_Tar
      *
      * @return bool
      */
-    private function _maliciousFilename($file)
+    private function _isMaliciousFilename($file)
     {
-        if (strpos($file, 'phar://') === 0) {
+        if (strpos($file, '://') !== false) {
             return true;
         }
         if (strpos($file, '../') !== false || strpos($file, '..\\') !== false) {
@@ -1866,7 +1866,7 @@ class Archive_Tar
 
         $v_filename = rtrim(substr($v_filename, 0, $v_filesize), "\0");
         $v_header['filename'] = $v_filename;
-        if ($this->_maliciousFilename($v_filename)) {
+        if ($this->_isMaliciousFilename($v_filename)) {
             $this->_error(
                 'Malicious .tar detected, file "' . $v_filename .
                 '" will not install in desired directory tree'
