> From: Roberto A. Foglietta > Sent: Tuesday, 14 April 2026 12:07 > >> [snipped earlier quote] > > oh-oh, anthropic... > > this is the patch developed by Claude Sonnet 4.6 > > https://claude.ai/share/3846ba11-0b6e-4f0c-9cb6-34beaa11c49c
Lookie. Rephrased nicely from GPLv3 licensed source: https://cgit.git.savannah.gnu.org/cgit/patch.git/commit/?id=685a78b6052f4df6eac6d625a545cfb54a6ac0e1 @@ -1415,6 +1415,17 @@ strip_leading_slashes (char *name, int strip_leading) n = p+1; } } + if (IS_ABSOLUTE_FILE_NAME (n)) + fatal ("rejecting absolute file name: %s", quotearg (n)); + for (p = n; *p; ) + { + if (*p == '.' && *++p == '.' && ( ! *++p || ISSLASH (*p))) + fatal ("rejecting file name with \"..\" component: %s", quotearg (n)); + while (*p && ! ISSLASH (*p)) + p++; + while (ISSLASH (*p)) + p++; + } if ((strip_leading < 0 || s <= 0) && *n) > this is the patch developed by Gemini > > https://gemini.google.com/share/602d38b9f121 > > both based on free-of-charge chatbot services > > Gemini won, IMHO at first sight, by using "strstr" even though it > failed to create/adopt a sort of sanitise_path_check() function. > Because there is a good chance that the same issue affects other > applets (like tar, for example, possibly). For the tar/etc applets, there are skip_unsafe_prefix and strip_unsafe_prefix functions that prevent absolute paths as well as traversed paths. (See archival/libarchive/unsafe_prefix.c) And there is an option FEATURE_PATH_TRAVERSAL_PROTECTION to protect against path traversal for all the other unpackaging applets. > WARNING: > > I did not review or check the patches available on those links above, > that material is provided just for AI developing skills comparison not > for AS-IS real-world use. > > Best regards, > -- > Roberto A. Foglietta > +49.176.274.75.661 > +39.349.33.30.697 Regards, Morgan _______________________________________________ busybox mailing list [email protected] https://lists.busybox.net/mailman/listinfo/busybox
