From: Michiel Rook <michiel@michielrook.nl>
Date: Thu, 19 Nov 2020 09:52:43 +0100
Subject: Fixes #33 - ensure we catch additional malicious/crafted filenames
Origin: https://github.com/pear/Archive_Tar/commit/0670a05fdab997036a3fc3ef113b8f5922e574da
Bug: https://github.com/pear/Archive_Tar/issues/33
Bug-Debian: https://bugs.debian.org/976108
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2020-28948
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2020-28949

---
 submodules/Archive_Tar/Archive/Tar.php | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

--- a/submodules/Archive_Tar/Archive/Tar.php
+++ b/submodules/Archive_Tar/Archive/Tar.php
@@ -1695,7 +1695,7 @@ class Archive_Tar extends PEAR
 
         // ----- Extract the properties
         $v_header['filename'] = rtrim($v_data['filename'], "\0");
-        if ($this->_maliciousFilename($v_header['filename'])) {
+        if ($this->_isMaliciousFilename($v_header['filename'])) {
             $this->_error(
                 'Malicious .tar detected, file "' . $v_header['filename'] .
                 '" will not install in desired directory tree'
@@ -1765,9 +1765,9 @@ class Archive_Tar extends PEAR
      *
      * @return bool
      */
-    private function _maliciousFilename($file)
+    private function _isMaliciousFilename($file)
     {
-        if (strpos($file, 'phar://') === 0) {
+        if (strpos($file, '://') !== false) {
             return true;
         }
         if (strpos($file, '/../') !== false) {
@@ -1806,7 +1806,7 @@ class Archive_Tar extends PEAR
 
         $v_filename = rtrim(substr($v_filename, 0, $v_filesize), "\0");
         $v_header['filename'] = $v_filename;
-        if ($this->_maliciousFilename($v_filename)) {
+        if ($this->_isMaliciousFilename($v_filename)) {
             $this->_error(
                 'Malicious .tar detected, file "' . $v_filename .
                 '" will not install in desired directory tree'