When doing an SQLAR archive extraction in the CLI, postpone creating symlinks until after

D. Richard Hipp · D. Richard Hipp · commit 1c90ee985a02 · 2026-02-23T01:34:14.000Z
all files and directories have been created.  This prevents a hostile archive from
creating a symlink through which it can subsequently write content outside of the target
directory.  [forum:forumpost/9e176adfef91c207|Forum post 9e176adfef91c207].
diff --git a/src/shell.c.in b/src/shell.c.in
@@ -6665,11 +6665,14 @@ static int arRemoveCommand(ArCommand *pAr){
 */
 static int arExtractCommand(ArCommand *pAr){
   const char *zSql1 =
-    "SELECT "
-    " ($dir || name),"
-    " writefile(($dir || name), %s, mode, mtime) "
-    "FROM %s WHERE (%s) AND (data IS NULL OR $dirOnly = 0)"
-    " AND name NOT GLOB '*..[/\\]*'";
+    "SELECT ($dir || name),\n"
+    "       writefile(($dir || name), %s, mode, mtime)\n"
+    "  FROM %s\n"
+    " WHERE (%s)\n"
+    "   AND NOT ((mode&0xf000)==0x8000 AND $pass>0)\n"  /* Files on pass 0 */
+    "   AND NOT (data IS NULL AND $pass==1)\n"          /* Dirs on passes 0,2 */
+    "   AND NOT ((mode&0xf000)==0xa000 AND $pass<>1)\n" /* Symlink on pass 1 */
+    "   AND name NOT GLOB '*..[/\\]*'\n";
 
   const char *azExtraArg[] = {
     "sqlar_uncompress(data, sz)",
@@ -6705,16 +6708,21 @@ static int arExtractCommand(ArCommand *pAr){
     j = sqlite3_bind_parameter_index(pSql, "$dir");
     sqlite3_bind_text(pSql, j, zDir, -1, SQLITE_STATIC);
 
-    /* Run the SELECT statement twice. The first time, writefile() is called
-    ** for all archive members that should be extracted. The second time,
-    ** only for the directories. This is because the timestamps for
-    ** extracted directories must be reset after they are populated (as
-    ** populating them changes the timestamp).  */
-    for(i=0; i<2; i++){
-      j = sqlite3_bind_parameter_index(pSql, "$dirOnly");
+    /* Run the SELECT statement thrice:
+    **   (1) writefile() all files and directories, but not symlinks
+    **   (2) writefile() for symlinks
+    **   (3) writefile() for directory again
+    ** Symlinks are created after everything else to prevent writing content
+    ** through a symlink that was created by the extraction.
+    ** The third pass is so that the timestamps for extracted directories
+    ** will be reset to the value in the archive, since populating them
+    ** in the previous passes will have changed the timestamp. */
+    for(i=0; i<3; i++){
+      j = sqlite3_bind_parameter_index(pSql, "$pass");
       sqlite3_bind_int(pSql, j, i);
       if( pAr->bDryRun ){
         cli_printf(pAr->out, "%s\n", sqlite3_sql(pSql));
+        break;
       }else{
         while( rc==SQLITE_OK && SQLITE_ROW==sqlite3_step(pSql) ){
           if( i==0 && pAr->bVerbose ){
