From 6027d68337b537bf9a68cf810cf9b8e40dac22f8 Mon Sep 17 00:00:00 2001
From: Jaroslav Rohel <jrohel@redhat.com>
Date: Wed, 12 Aug 2020 08:35:28 +0200
Subject: [PATCH] Validate path read from repomd.xml (RhBug:1868639)

= changelog =
msg: Validate path read from repomd.xml
type: security
resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1868639

Upstream-Status: Acepted [https://github.com/rpm-software-management/librepo/commit/7daea2a2429a54dad68b1de9b37a5f65c5cf2600]
CVE: CVE-2020-14352
Signed-off-by: Minjae Kim <flowergom@gmail.com>
---
 librepo/yum.c | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/librepo/yum.c b/librepo/yum.c
index 3059188..529257b 100644
--- a/librepo/yum.c
+++ b/librepo/yum.c
@@ -23,6 +23,7 @@
 #define  BITS_IN_BYTE 8
 
 #include <stdio.h>
+#include <libgen.h>
 #include <assert.h>
 #include <stdlib.h>
 #include <errno.h>
@@ -770,6 +771,22 @@ prepare_repo_download_targets(LrHandle *handle,
             continue;
 
         char *location_href = record->location_href;
+
+        char *dest_dir = realpath(handle->destdir, NULL);
+        path = lr_pathconcat(handle->destdir, record->location_href, NULL);
+        char *requested_dir = realpath(dirname(path), NULL);
+        lr_free(path);
+        if (!g_str_has_prefix(requested_dir, dest_dir)) {
+            g_debug("%s: Invalid path: %s", __func__, location_href);
+            g_set_error(err, LR_YUM_ERROR, LRE_IO, "Invalid path: %s", location_href);
+            g_slist_free_full(*targets, (GDestroyNotify) lr_downloadtarget_free);
+            free(requested_dir);
+            free(dest_dir);
+            return FALSE;
+        }
+        free(requested_dir);
+        free(dest_dir);
+
         gboolean is_zchunk = FALSE;
         #ifdef WITH_ZCHUNK
         if (handle->cachedir && record->header_checksum)
-- 
2.17.1