--- a/ChangeLog Tue Mar 04 23:01:37 2014 -0800
+++ b/ChangeLog Tue Mar 04 23:12:23 2014 -0800
@@ -1,6 +1,11 @@
Pidgin and Finch: The Pimpin' Penguin IM Clients That're Good for the Soul
+ Windows-Specific Changes: + * Don't allow overwriting arbitrary files on the file system when the + user installs a smiley theme from a tar file. (Discovered by Yves + Younan of Sourcefire VRT) * Fix build against Python 3. (Ed Catmur) (#15969)
--- a/pidgin/win32/untar.c Tue Mar 04 23:01:37 2014 -0800
+++ b/pidgin/win32/untar.c Tue Mar 04 23:12:23 2014 -0800
@@ -401,6 +401,19 @@
+ /* Possibly strip the drive from the path */ + /* If the path contains a colon, assume everything before the + * colon is intended to be a drive name and ignore it. This + * should be just a single drive letter, but it should be safe + * to drop it even if it's longer. */ + const char *lastcolon = strrchr(nbuf, ':'); + memmove(nbuf, lastcolon, strlen(lastcolon) + 1); + didabs = 1; /* Path was changed from absolute to relative */ /* Convert any backslashes to forward slashes, and guard
* against doubled-up slashes. (Some DOS versions of "tar"
* get this wrong.) Also strip off leading slashes.