1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
|
From: Odinn <odinn@Odinns-MacBook-Pro.local>
Date: Sun, 6 May 2018 01:16:55 +0300
Subject: fix: fail when trying to extract outside of dest dir
Origin: https://github.com/codehaus-plexus/plexus-archiver/commit/58bc24e465c0842981692adbf6d75680298989de
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-1002200
Bug: https://github.com/codehaus-plexus/plexus-archiver/pull/87
Bug-Debian: https://bugs.debian.org/900953
A well crafted zip file may cause the code to extract outside of the destination dir.
This PR fails when that happens so that no unexpected behaviour happens.
[carnil: Backport to 1.2: Change filename and patch extractFile in
src/main/java/org/codehaus/plexus/archiver/zip/AbstractZipUnArchiver.java
]
---
.../plexus/archiver/AbstractUnArchiver.java | 9 +++++++
.../archiver/zip/ZipUnArchiverTest.java | 24 ++++++++++++++++++
src/test/zips/zip-slip.zip | Bin 0 -> 545 bytes
3 files changed, 33 insertions(+)
create mode 100644 src/test/zips/zip-slip.zip
--- a/src/main/java/org/codehaus/plexus/archiver/zip/AbstractZipUnArchiver.java
+++ b/src/main/java/org/codehaus/plexus/archiver/zip/AbstractZipUnArchiver.java
@@ -198,6 +198,15 @@ public abstract class AbstractZipUnArchi
{
final File f = FileUtils.resolveFile( dir, entryName );
+ // Make sure that the resolved path of the extracted file doesn't escape the destination directory
+ String canonicalDirPath = dir.getCanonicalPath();
+ String canonicalDestPath = f.getCanonicalPath();
+
+ if ( !canonicalDestPath.startsWith( canonicalDirPath ) )
+ {
+ throw new ArchiverException( "Entry is outside of the target directory (" + entryName + ")" );
+ }
+
try
{
if ( !isOverwrite() && f.exists() && ( f.lastModified() >= entryDate.getTime() ) )
|
