From 544f0175d9968151df8fcd537f6399ea3fcb05fa Mon Sep 17 00:00:00 2001
From: Ralph Slooten <axllent@gmail.com>
Date: Sun, 7 Aug 2022 00:26:18 +1200
Subject: [PATCH] Security: Don't allow tar files containing a ".."

---
 updater/targz.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/updater/targz.go b/updater/targz.go
index 4819b05..02d30c1 100644
--- a/updater/targz.go
+++ b/updater/targz.go
@@ -8,6 +8,7 @@ import (
 	"io"
 	"os"
 	"path/filepath"
+	"strings"
 	"syscall"
 )
 
@@ -184,6 +185,10 @@ func extract(filePath string, directory string) error {
 		}
 
 		fileInfo := header.FileInfo()
+		// paths could contain a '..', is used in a file system operations
+		if strings.Contains(fileInfo.Name(), "..") {
+			continue
+		}
 		dir := filepath.Join(directory, filepath.Dir(header.Name))
 		filename := filepath.Join(dir, fileInfo.Name())