LUGG-1222 Merge branch 'release'

CHANGELOG.txt

@@ -1,3 +1,8 @@
+Drupal 7.78, 2021-01-19
+-----------------------
+- Fixed security issues:
+   - SA-CORE-2021-001
+
 Drupal 7.77, 2020-12-03
 -----------------------
 - Hotfix for schema.prefixed tables

LUGGAGE_CHANGELOG.txt

@@ -2,6 +2,11 @@ How to read this changelog:
 
 The LUGG- prefix refers to JIRA issue numbers; the # prefix refers to GitHub issue numbers.
 
+Luggage 3.6.18, 2021-01-20
+Drupal 7.78, 2021-01-20
+-------------------------
+- LUGG-1222 - Drupal 7.78 SA-CORE-2021-001
+
 Luggage 3.6.17, 2020-12-23
 Drupal 7.77, 2020-12-03
 -------------------------

LUGGAGE_VERSION.php

@@ -1,3 +1,3 @@
 <?php
 
-$version = "3.6.17";
+$version = "3.6.18";

includes/bootstrap.inc

@@ -8,7 +8,7 @@
 /**
  * The current system version.
  */
-define('VERSION', '7.77');
+define('VERSION', '7.78');
 
 /**
  * Core API compatibility.

modules/system/system.tar.inc

@@ -2178,6 +2178,14 @@ class Archive_Tar
                             }
                         }
                     } elseif ($v_header['typeflag'] == "2") {
+                        if (strpos(realpath(dirname($v_header['link'])), realpath($p_path)) !== 0) {
+                            $this->_error(
+                                'Out-of-path file extraction {'
+                                . $v_header['filename'] . ' --> ' .
+                                $v_header['link'] . '}'
+                            );
+                            return false;
+                        }
                         if (!$p_symlinks) {
                             $this->_warning('Symbolic links are not allowed. '
                                 . 'Unable to extract {'