Origin: https://github.com/drupal/drupal/commit/4c665d911d4cf2eb4b5f92a6d141b85afbf51f90
Forwarded: not-needed
From: larowlan, stephenacrossri, siliconmeadow, mcdruid, xjm, vijaycs85, mlhess, greggles
Date: Thu 21 Jan 2021 01:00:12 PM CST
Subject: Fixes for SA-CORE-2021-001
 Backported the diff between 7.77 and 7.78, applying it to the version in the
 old-stable Debian release (7.52)
 .
 SA-CORE-2021-001 (CVE-2020-36193) addresses out-of-path extraction
 vulnerabilities in the Archive_Tar library.
Index: drupal7/modules/system/system.tar.inc
===================================================================
--- drupal7.orig/modules/system/system.tar.inc
+++ drupal7/modules/system/system.tar.inc
@@ -2148,6 +2148,14 @@ class Archive_Tar
                             }
                         }
                     } elseif ($v_header['typeflag'] == "2") {
+                        if (strpos(realpath(dirname($v_header['link'])), realpath($p_path)) !== 0) {
+                            $this->_error(
+                                'Out-of-path file extraction {'
+                                . $v_header['filename'] . ' --> ' .
+                                $v_header['link'] . '}'
+                            );
+                            return false;
+                        }
                         if (!$p_symlinks) {
                             $this->_warning('Symbolic links are not allowed. '
                                 . 'Unable to extract {'
