s434730/RandomSec
3
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Add separator to zip slip check - fixes #3043 (#3048)

Browse Source
This commit is contained in:
Tom Morris 2020-08-09 08:48:55 -04:00 committed by GitHub
parent 55edae2b7b
commit 9c403d59d2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
main/src/com/google/refine/importing/ImportingUtilities.java
View File

@ -458,13 +458,13 @@ public class ImportingUtilities {
name = name.substring(0, q); name = name.substring(0, q);
} }
File file = new File(dir, name); File file = new File(dir, name);
// For CVE-2018-19859, issue #1840 // For CVE-2018-19859, issue #1840
if (!file.toPath().normalize().startsWith(dir.toPath().normalize())) { if (!file.toPath().normalize().startsWith(dir.toPath().normalize() + File.separator)) {
throw new IllegalArgumentException("Zip archives with files escaping their root directory are not allowed."); throw new IllegalArgumentException("Zip archives with files escaping their root directory are not allowed.");
} }
int dot = name.indexOf('.'); int dot = name.lastIndexOf('.');
String prefix = dot < 0 ? name : name.substring(0, dot); String prefix = dot < 0 ? name : name.substring(0, dot);
String suffix = dot < 0 ? "" : name.substring(dot); String suffix = dot < 0 ? "" : name.substring(dot);
int index = 2; int index = 2;