Skip to content

feat: increase default SymLinks_DangerousLevel from 5 to 10#8

Open
Zeno-sole wants to merge 1 commit into
deepin-community:masterfrom
Zeno-sole:feat/symlink-default-level10
Open

feat: increase default SymLinks_DangerousLevel from 5 to 10#8
Zeno-sole wants to merge 1 commit into
deepin-community:masterfrom
Zeno-sole:feat/symlink-default-level10

Conversation

@Zeno-sole

Copy link
Copy Markdown

Change the default symlink dangerous level from 5 to 10 for better compatibility with legitimate cross-directory symlinks.

Level 10 (vs 5) differences:

  • Disables the low-level check (level <= 5 && LowLevel < 0) that incorrectly rejects symlinks with ../ that don't actually escape the extraction root (e.g. winsxs/../../system32/*.dll).
  • Disables the final-level check (level <= 5 && FinalLevel < 1).
  • Disables the chain symlink filesystem check (CheckLinkPath_in_FS) to avoid false positives when intermediate directories are themselves symlinks (common in Wine prefixes).
  • Disables hardlink-to-symlink rejection.

The IsSafePath() core defense on the constructed full path (prefix path + link target) remains active, catching all real directory traversal attacks.

To disable symlink extraction entirely, use -snl-.

Log: Increased default symlink dangerous level from 5 to 10

Influence:

  1. Test symlink extraction with absolute paths (e.g. /dev/ttyS2)
  2. Test ../ symlink extraction (e.g. winsxs/../../system32/)
  3. Test -snl- still disables symlinks when needed
  4. Verify benchmark and basic functionality not affected
  5. Verify no regression on regular archive extraction

feat: 增加 7zip 默认符号链接危险级别从 5 改为 10

将默认符号链接安全级别从 5 提升到 10,以改善对合法跨目录
符号链接的兼容性(如 Wine winsxs 场景)。

IsSafePath() 核心安全防线(构造完整路径后检测遍历攻击)
仍然生效。如需完全禁用符号链接提取,可使用 -snl-。

Log: 将默认符号链接危险级别从 5 增加到 10

Influence:

  1. 测试绝对路径符号链接的解压(如 /dev/ttyS2)
  2. 测试 ../ 符号链接的解压(如 winsxs/../../system32/)
  3. 测试 -snl- 仍能禁用符号链接
  4. 验证基准测试和基本功能不受影响
  5. 验证常规档案解压没有回归

repo: 7zip #main

Change the default symlink dangerous level from 5 to 10 for
better compatibility with legitimate cross-directory symlinks.

Level 10 (vs 5) differences:
- Disables the low-level check (level <= 5 && LowLevel < 0)
  that incorrectly rejects symlinks with ../ that don't actually
  escape the extraction root (e.g. winsxs/../../system32/*.dll).
- Disables the final-level check (level <= 5 && FinalLevel < 1).
- Disables the chain symlink filesystem check (CheckLinkPath_in_FS)
  to avoid false positives when intermediate directories are
  themselves symlinks (common in Wine prefixes).
- Disables hardlink-to-symlink rejection.

The IsSafePath() core defense on the constructed full path
(prefix path + link target) remains active, catching all real
directory traversal attacks.

To disable symlink extraction entirely, use -snl-.

Log: Increased default symlink dangerous level from 5 to 10

Influence:
1. Test symlink extraction with absolute paths (e.g. /dev/ttyS2)
2. Test ../ symlink extraction (e.g. winsxs/../../system32/)
3. Test -snl- still disables symlinks when needed
4. Verify benchmark and basic functionality not affected
5. Verify no regression on regular archive extraction

feat: 增加 7zip 默认符号链接危险级别从 5 改为 10

将默认符号链接安全级别从 5 提升到 10,以改善对合法跨目录
符号链接的兼容性(如 Wine winsxs 场景)。

IsSafePath() 核心安全防线(构造完整路径后检测遍历攻击)
仍然生效。如需完全禁用符号链接提取,可使用 -snl-。

Log: 将默认符号链接危险级别从 5 增加到 10

Influence:
1. 测试绝对路径符号链接的解压(如 /dev/ttyS2)
2. 测试 ../ 符号链接的解压(如 winsxs/../../system32/)
3. 测试 -snl- 仍能禁用符号链接
4. 验证基准测试和基本功能不受影响
5. 验证常规档案解压没有回归

repo: 7zip #main
@github-actions

Copy link
Copy Markdown

TAG Bot

TAG: 25.01+dfsg-1_deb13u2deepin1
EXISTED: no
DISTRIBUTION: unstable

@Zeno-sole

Copy link
Copy Markdown
Author

/integrate

@github-actions

Copy link
Copy Markdown

AutoIntegrationPr Bot
auto integrate with pr url: deepin-community/Repository-Integration#4217
PrNumber: 4217
PrBranch: auto-integration-28449019821

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant