{
File target = new File(appdir, path);
File patch = new File(appdir, entry.getName());
+ if (!patch.toPath().normalize().startsWith(appdir.toPath().normalize())) {
+ throw new RuntimeException("Bad zip entry");
+ }
File otarget = new File(appdir, path + ".old");
JarDiffPatcher patcher = null;
while (entries.hasMoreElements()) {
JarEntry entry = (JarEntry)entries.nextElement();
File efile = new File(target, entry.getName());
-
+ if (!efile.toPath().normalize().startsWith(target.toPath().normalize())) {
+ throw new IOException("Bad zip entry");
+ }
// if we're unpacking a normal jar file, it will have special path
// entries that allow us to create our directories first
if (entry.isDirectory()) {