git://source.jalview.org
/
jalview.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (parent:
7a75c93
)
JAL-4072 added zip file path test as per https://github.com/threerings/getdown/pull...
author
Ben Soares
<b.soares@dundee.ac.uk>
Tue, 4 Oct 2022 16:01:26 +0000
(17:01 +0100)
committer
Ben Soares
<b.soares@dundee.ac.uk>
Tue, 4 Oct 2022 16:01:26 +0000
(17:01 +0100)
getdown/src/getdown/core/src/main/java/com/threerings/getdown/tools/Patcher.java
patch
|
blob
|
history
getdown/src/getdown/core/src/main/java/com/threerings/getdown/util/FileUtil.java
patch
|
blob
|
history
diff --git
a/getdown/src/getdown/core/src/main/java/com/threerings/getdown/tools/Patcher.java
b/getdown/src/getdown/core/src/main/java/com/threerings/getdown/tools/Patcher.java
index
4ead59b
..
52e1c9d
100644
(file)
--- a/
getdown/src/getdown/core/src/main/java/com/threerings/getdown/tools/Patcher.java
+++ b/
getdown/src/getdown/core/src/main/java/com/threerings/getdown/tools/Patcher.java
@@
-129,6
+129,9
@@
public class Patcher
{
File target = new File(appdir, path);
File patch = new File(appdir, entry.getName());
{
File target = new File(appdir, path);
File patch = new File(appdir, entry.getName());
+ if (!patch.toPath().normalize().startsWith(appdir.toPath().normalize())) {
+ throw new RuntimeException("Bad zip entry");
+ }
File otarget = new File(appdir, path + ".old");
JarDiffPatcher patcher = null;
File otarget = new File(appdir, path + ".old");
JarDiffPatcher patcher = null;
diff --git
a/getdown/src/getdown/core/src/main/java/com/threerings/getdown/util/FileUtil.java
b/getdown/src/getdown/core/src/main/java/com/threerings/getdown/util/FileUtil.java
index
bba6c44
..
930c33b
100644
(file)
--- a/
getdown/src/getdown/core/src/main/java/com/threerings/getdown/util/FileUtil.java
+++ b/
getdown/src/getdown/core/src/main/java/com/threerings/getdown/util/FileUtil.java
@@
-140,6
+140,9
@@
public class FileUtil
while (entries.hasMoreElements()) {
JarEntry entry = (JarEntry)entries.nextElement();
File efile = new File(target, entry.getName());
while (entries.hasMoreElements()) {
JarEntry entry = (JarEntry)entries.nextElement();
File efile = new File(target, entry.getName());
+ if (!efile.toPath().normalize().startsWith(target.toPath().normalize())) {
+ throw new IOException("Bad zip entry");
+ }
// if we're unpacking a normal jar file, it will have special path
// entries that allow us to create our directories first
// if we're unpacking a normal jar file, it will have special path
// entries that allow us to create our directories first