1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
|
From: Markus Koschany <apo@debian.org>
Date: Thu, 17 Aug 2023 21:33:50 +0200
Subject: CVE-2023-37476
Bug-Debian: https://bugs.debian.org/1041422
Origin: https://github.com/OpenRefine/OpenRefine/commit/c40c84d8170c4d61c6a0926531b552a50caa5651
---
main/src/com/google/refine/io/FileProjectManager.java | 3 +++
1 file changed, 3 insertions(+)
diff --git a/main/src/com/google/refine/io/FileProjectManager.java b/main/src/com/google/refine/io/FileProjectManager.java
index 09197f7..c913199 100644
--- a/main/src/com/google/refine/io/FileProjectManager.java
+++ b/main/src/com/google/refine/io/FileProjectManager.java
@@ -167,6 +167,9 @@ public class FileProjectManager extends ProjectManager {
while ((tarEntry = tin.getNextTarEntry()) != null) {
File destEntry = new File(destDir, tarEntry.getName());
+ if (!destEntry.toPath().normalize().startsWith(destDir.toPath().normalize())) {
+ throw new IllegalArgumentException("Zip archives with files escaping their root directory are not allowed.");
+ }
File parent = destEntry.getParentFile();
if (!parent.exists()) {
|
