From: Ben Soares Date: Tue, 4 Oct 2022 16:01:26 +0000 (+0100) Subject: JAL-4072 added zip file path test as per https://github.com/threerings/getdown/pull... X-Git-Url: http://source.jalview.org/gitweb/?a=commitdiff_plain;h=fd15d44efb796a66c703a10a1bbb138bcf44044b;p=jalview.git JAL-4072 added zip file path test as per https://github.com/threerings/getdown/pull/265/commits/2252ceb20cfcf5963a483328bc93955b60221e3f --- diff --git a/getdown/src/getdown/core/src/main/java/com/threerings/getdown/tools/Patcher.java b/getdown/src/getdown/core/src/main/java/com/threerings/getdown/tools/Patcher.java index 4ead59b..52e1c9d 100644 --- a/getdown/src/getdown/core/src/main/java/com/threerings/getdown/tools/Patcher.java +++ b/getdown/src/getdown/core/src/main/java/com/threerings/getdown/tools/Patcher.java @@ -129,6 +129,9 @@ public class Patcher { File target = new File(appdir, path); File patch = new File(appdir, entry.getName()); + if (!patch.toPath().normalize().startsWith(appdir.toPath().normalize())) { + throw new RuntimeException("Bad zip entry"); + } File otarget = new File(appdir, path + ".old"); JarDiffPatcher patcher = null; diff --git a/getdown/src/getdown/core/src/main/java/com/threerings/getdown/util/FileUtil.java b/getdown/src/getdown/core/src/main/java/com/threerings/getdown/util/FileUtil.java index bba6c44..930c33b 100644 --- a/getdown/src/getdown/core/src/main/java/com/threerings/getdown/util/FileUtil.java +++ b/getdown/src/getdown/core/src/main/java/com/threerings/getdown/util/FileUtil.java @@ -140,6 +140,9 @@ public class FileUtil while (entries.hasMoreElements()) { JarEntry entry = (JarEntry)entries.nextElement(); File efile = new File(target, entry.getName()); + if (!efile.toPath().normalize().startsWith(target.toPath().normalize())) { + throw new IOException("Bad zip entry"); + } // if we're unpacking a normal jar file, it will have special path // entries that allow us to create our directories first