- πΈπ°Slovakia poker10
Thanks for working on this. I think all of these changes were included and fixed in #3247738: sync system.tar.inc with Archive_Tar 1.4.14 β and https://www.drupal.org/sa-core-2021-004 β , so closing this.
We backported one recent hardening of Archive_Tar in #3195939: hardening of destructor in Archive_Tar β but a few other changes have been made recently which D7 is now out-of-sync with.
Note that this is not a security release - see: #3211037: Inaccurate github security advisory re Archive_Tar and CVE-2020-36193 β .
diff the 1.4.13 release of Archive_Tar's Tar.php with D7's current system.tar.inc
Bring system.tar.inc up-to-date with all upstream changes.
There is one remaining whitespace only difference, but I think D7 has the correct indentation. I'll file a follow-up with Archive_Tar to fix that upstream.
None.
Legitimate symlinks within archives will be allowed again, but only if the appropriate option is passed to Archive_Tar's methods. Core doesn't do this so symlinks are not allowed in core's direct use of the class.
None.
Not sure we need one.
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.
Thanks for working on this. I think all of these changes were included and fixed in #3247738: sync system.tar.inc with Archive_Tar 1.4.14 β and https://www.drupal.org/sa-core-2021-004 β , so closing this.