From fd15d44efb796a66c703a10a1bbb138bcf44044b Mon Sep 17 00:00:00 2001 From: Ben Soares Date: Tue, 4 Oct 2022 17:01:26 +0100 Subject: [PATCH] JAL-4072 added zip file path test as per https://github.com/threerings/getdown/pull/265/commits/2252ceb20cfcf5963a483328bc93955b60221e3f --- .../core/src/main/java/com/threerings/getdown/tools/Patcher.java | 3 +++ .../core/src/main/java/com/threerings/getdown/util/FileUtil.java | 3 +++ 2 files changed, 6 insertions(+) diff --git a/getdown/src/getdown/core/src/main/java/com/threerings/getdown/tools/Patcher.java b/getdown/src/getdown/core/src/main/java/com/threerings/getdown/tools/Patcher.java index 4ead59b..52e1c9d 100644 --- a/getdown/src/getdown/core/src/main/java/com/threerings/getdown/tools/Patcher.java +++ b/getdown/src/getdown/core/src/main/java/com/threerings/getdown/tools/Patcher.java @@ -129,6 +129,9 @@ public class Patcher { File target = new File(appdir, path); File patch = new File(appdir, entry.getName()); + if (!patch.toPath().normalize().startsWith(appdir.toPath().normalize())) { + throw new RuntimeException("Bad zip entry"); + } File otarget = new File(appdir, path + ".old"); JarDiffPatcher patcher = null; diff --git a/getdown/src/getdown/core/src/main/java/com/threerings/getdown/util/FileUtil.java b/getdown/src/getdown/core/src/main/java/com/threerings/getdown/util/FileUtil.java index bba6c44..930c33b 100644 --- a/getdown/src/getdown/core/src/main/java/com/threerings/getdown/util/FileUtil.java +++ b/getdown/src/getdown/core/src/main/java/com/threerings/getdown/util/FileUtil.java @@ -140,6 +140,9 @@ public class FileUtil while (entries.hasMoreElements()) { JarEntry entry = (JarEntry)entries.nextElement(); File efile = new File(target, entry.getName()); + if (!efile.toPath().normalize().startsWith(target.toPath().normalize())) { + throw new IOException("Bad zip entry"); + } // if we're unpacking a normal jar file, it will have special path // entries that allow us to create our directories first -- 1.7.10.2