1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
|
From ce4208fdecc2ad079b05d3c49d70fe6ed1d07016 Mon Sep 17 00:00:00 2001
From: Alexander Simonov <alex@simonov.me>
Date: Wed, 8 Feb 2017 13:43:14 +0200
Subject: [PATCH] Fix #315 and resolve relative path vulnerability
---
lib/zip/entry.rb | 5 +++++
1 file changed, 5 insertions(+)
--- a/lib/zip/entry.rb
+++ b/lib/zip/entry.rb
@@ -148,6 +148,11 @@ module Zip
def extract(dest_path = @name, &block)
block ||= proc { ::Zip.on_exists_proc }
+ if @name.squeeze('/') =~ /\.{2}(?:\/|\z)/
+ puts "WARNING: skipped \"../\" path component(s) in #{@name}"
+ return self
+ end
+
if directory? || file? || symlink?
self.__send__("create_#{@ftype}", dest_path, &block)
else
|
