- Timestamp:
- 2021-07-08T21:40:58+02:00 (3 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/src/org/openstreetmap/josm/gui/io/DownloadFileTask.java
r13493 r17964 14 14 import java.nio.file.Files; 15 15 import java.nio.file.InvalidPathException; 16 import java.nio.file.Path; 17 import java.nio.file.Paths; 16 18 import java.nio.file.StandardCopyOption; 17 19 import java.util.Enumeration; … … 181 183 */ 182 184 public static void unzipFileRecursively(File file, String dir) throws IOException { 185 Path dirPath = Paths.get(dir); 183 186 try (ZipFile zf = new ZipFile(file, StandardCharsets.UTF_8)) { 184 187 Enumeration<? extends ZipEntry> es = zf.entries(); … … 186 189 ZipEntry ze = es.nextElement(); 187 190 File newFile = new File(dir, ze.getName()); 191 // Checks for Zip Slip Vulnerability (CWE-22 / path traversal) 192 if (!newFile.toPath().normalize().startsWith(dirPath)) { 193 throw new IOException("Bad zip entry - Invalid or malicious file, potential CWE-22 attack"); 194 } 188 195 if (ze.isDirectory()) { 189 196 Utils.mkDirs(newFile);
Note:
See TracChangeset
for help on using the changeset viewer.