From 7ad47f1083f6d62d1135fe49807b51380cc4d7cb Mon Sep 17 00:00:00 2001
From: cinap_lenrek <cinap_lenrek@gmx.de>
Date: Thu, 3 Oct 2013 17:30:03 +0200
Subject: [PATCH] tarfs: make file name safe, canonical and free of . and ..
 (from sources)

---
 sys/src/cmd/tapefs/tarfs.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/sys/src/cmd/tapefs/tarfs.c b/sys/src/cmd/tapefs/tarfs.c
index 96271a866..c58db4bbb 100644
--- a/sys/src/cmd/tapefs/tarfs.c
+++ b/sys/src/cmd/tapefs/tarfs.c
@@ -144,10 +144,12 @@ populate(char *name)
 		}
 		f.mode &= DMDIR | 0777;
 
-		/* make file name safe and canonical */
+		/* make file name safe, canonical and free of . and .. */
 		while (fname[0] == '/')		/* don't allow absolute paths */
 			++fname;
 		cleanname(fname);
+		while (strncmp(fname, "../", 3) == 0)
+			fname += 3;
 
 		/* reject links */
 		linkflg = hp->linkflag == LF_SYMLINK1 ||