feat: increase default SymLinks_DangerousLevel from 5 to 10#8
Open
Zeno-sole wants to merge 1 commit into
Open
Conversation
Change the default symlink dangerous level from 5 to 10 for better compatibility with legitimate cross-directory symlinks. Level 10 (vs 5) differences: - Disables the low-level check (level <= 5 && LowLevel < 0) that incorrectly rejects symlinks with ../ that don't actually escape the extraction root (e.g. winsxs/../../system32/*.dll). - Disables the final-level check (level <= 5 && FinalLevel < 1). - Disables the chain symlink filesystem check (CheckLinkPath_in_FS) to avoid false positives when intermediate directories are themselves symlinks (common in Wine prefixes). - Disables hardlink-to-symlink rejection. The IsSafePath() core defense on the constructed full path (prefix path + link target) remains active, catching all real directory traversal attacks. To disable symlink extraction entirely, use -snl-. Log: Increased default symlink dangerous level from 5 to 10 Influence: 1. Test symlink extraction with absolute paths (e.g. /dev/ttyS2) 2. Test ../ symlink extraction (e.g. winsxs/../../system32/) 3. Test -snl- still disables symlinks when needed 4. Verify benchmark and basic functionality not affected 5. Verify no regression on regular archive extraction feat: 增加 7zip 默认符号链接危险级别从 5 改为 10 将默认符号链接安全级别从 5 提升到 10,以改善对合法跨目录 符号链接的兼容性(如 Wine winsxs 场景)。 IsSafePath() 核心安全防线(构造完整路径后检测遍历攻击) 仍然生效。如需完全禁用符号链接提取,可使用 -snl-。 Log: 将默认符号链接危险级别从 5 增加到 10 Influence: 1. 测试绝对路径符号链接的解压(如 /dev/ttyS2) 2. 测试 ../ 符号链接的解压(如 winsxs/../../system32/) 3. 测试 -snl- 仍能禁用符号链接 4. 验证基准测试和基本功能不受影响 5. 验证常规档案解压没有回归 repo: 7zip #main
|
TAG Bot TAG: 25.01+dfsg-1_deb13u2deepin1 |
Author
|
/integrate |
|
AutoIntegrationPr Bot |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Change the default symlink dangerous level from 5 to 10 for better compatibility with legitimate cross-directory symlinks.
Level 10 (vs 5) differences:
The IsSafePath() core defense on the constructed full path (prefix path + link target) remains active, catching all real directory traversal attacks.
To disable symlink extraction entirely, use -snl-.
Log: Increased default symlink dangerous level from 5 to 10
Influence:
feat: 增加 7zip 默认符号链接危险级别从 5 改为 10
将默认符号链接安全级别从 5 提升到 10,以改善对合法跨目录
符号链接的兼容性(如 Wine winsxs 场景)。
IsSafePath() 核心安全防线(构造完整路径后检测遍历攻击)
仍然生效。如需完全禁用符号链接提取,可使用 -snl-。
Log: 将默认符号链接危险级别从 5 增加到 10
Influence:
repo: 7zip #main