manifest.in component paths appear to be trusted after decoding. ComponentPart::decode() converts the path string directly into a PathBuf, and transaction operations only guard with relpath.is_relative(). However, paths containing parent components like ../outside are still relative.
Those paths are later joined with the install prefix via InstallPrefix::abs_path(), so a component manifest entry such as:
can target a path outside the toolchain directory during install. Those paths are persisted into component manifests and can later be used during uninstall; rollback also uses the recorded transaction paths.
|
path: PathBuf::from(path_str.as_ref()), |
|
assert!(relpath.is_relative()); |
|
let abs_path = ChangedItem::dest_abs_path(&self.prefix, component, &relpath)?; |
|
utils::rename("component", src, &abs_path, self.permit_copy_rename)?; |
Ideally, component manifest paths should be confined to the toolchain install prefix. Absolute paths, prefix paths, empty paths, and paths containing .. should be rejected as corrupt component manifests.
It may also be worth validating that the package source path stays under the extracted package root.
Ref:
manifest.incomponent paths appear to be trusted after decoding.ComponentPart::decode()converts the path string directly into aPathBuf, and transaction operations only guard withrelpath.is_relative(). However, paths containing parent components like../outsideare still relative.Those paths are later joined with the install prefix via
InstallPrefix::abs_path(), so a component manifest entry such as:can target a path outside the toolchain directory during install. Those paths are persisted into component manifests and can later be used during uninstall; rollback also uses the recorded transaction paths.
rustup/src/dist/component/components.rs
Line 221 in 4b1423b
rustup/src/dist/component/transaction.rs
Lines 181 to 183 in 4b1423b
Ideally, component manifest paths should be confined to the toolchain install prefix. Absolute paths, prefix paths, empty paths, and paths containing
..should be rejected as corrupt component manifests.It may also be worth validating that the package source path stays under the extracted package root.
Ref: