git://source.jalview.org / jalview.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 80c1030)
JAL-4072 Add zip-slip check in getdown
authorBen Soares <b.soares@dundee.ac.uk>
Thu, 6 Jun 2024 12:54:51 +0000 (13:54 +0100)
committerBen Soares <b.soares@dundee.ac.uk>
Thu, 6 Jun 2024 12:54:51 +0000 (13:54 +0100)
getdown/lib/getdown-core.jar patch | blob | history
getdown/lib/getdown-launcher-local.jar patch | blob | history
getdown/lib/getdown-launcher.jar patch | blob | history
getdown/src/getdown/core/src/main/java/com/threerings/getdown/tools/Patcher.java patch | blob | history
getdown/src/getdown/core/src/main/java/com/threerings/getdown/util/FileUtil.java patch | blob | history
j11lib/getdown-core.jar patch | blob | history
j8lib/getdown-core.jar patch | blob | history

diff --git a/getdown/lib/getdown-core.jar b/getdown/lib/getdown-core.jar
index abc2c7a..8c9e44b 100644 (file)
Binary files a/getdown/lib/getdown-core.jar and b/getdown/lib/getdown-core.jar differ
diff --git a/getdown/lib/getdown-launcher-local.jar b/getdown/lib/getdown-launcher-local.jar
index 368c124..a3528ac 100644 (file)
Binary files a/getdown/lib/getdown-launcher-local.jar and b/getdown/lib/getdown-launcher-local.jar differ
diff --git a/getdown/lib/getdown-launcher.jar b/getdown/lib/getdown-launcher.jar
index 3e0cb62..f803c4f 100644 (file)
Binary files a/getdown/lib/getdown-launcher.jar and b/getdown/lib/getdown-launcher.jar differ
diff --git a/getdown/src/getdown/core/src/main/java/com/threerings/getdown/tools/Patcher.java b/getdown/src/getdown/core/src/main/java/com/threerings/getdown/tools/Patcher.java
index 4ead59b..c907e51 100644 (file)
--- a/getdown/src/getdown/core/src/main/java/com/threerings/getdown/tools/Patcher.java
+++ b/getdown/src/getdown/core/src/main/java/com/threerings/getdown/tools/Patcher.java
@@ -129,6 +129,9 @@ public class Patcher
     {
         File target = new File(appdir, path);
         File patch = new File(appdir, entry.getName());
+        if (!patch.toPath().normalize().startsWith(appdir.toPath().normalize())) {
+          throw new RuntimeException("Bad zip entry");
+        }
         File otarget = new File(appdir, path + ".old");
         JarDiffPatcher patcher = null;
 
diff --git a/getdown/src/getdown/core/src/main/java/com/threerings/getdown/util/FileUtil.java b/getdown/src/getdown/core/src/main/java/com/threerings/getdown/util/FileUtil.java
index bba6c44..e4a752b 100644 (file)
--- a/getdown/src/getdown/core/src/main/java/com/threerings/getdown/util/FileUtil.java
+++ b/getdown/src/getdown/core/src/main/java/com/threerings/getdown/util/FileUtil.java
@@ -140,7 +140,9 @@ public class FileUtil
         while (entries.hasMoreElements()) {
             JarEntry entry = (JarEntry)entries.nextElement();
             File efile = new File(target, entry.getName());
-
+            if (!efile.toPath().normalize().startsWith(target.toPath().normalize())) {
+              throw new IOException("Bad zip entry");
+            }
             // if we're unpacking a normal jar file, it will have special path
             // entries that allow us to create our directories first
             if (entry.isDirectory()) {
diff --git a/j11lib/getdown-core.jar b/j11lib/getdown-core.jar
index abc2c7a..8c9e44b 100644 (file)
Binary files a/j11lib/getdown-core.jar and b/j11lib/getdown-core.jar differ
diff --git a/j8lib/getdown-core.jar b/j8lib/getdown-core.jar
index abc2c7a..8c9e44b 100644 (file)
Binary files a/j8lib/getdown-core.jar and b/j8lib/getdown-core.jar differ