From ce4208fdecc2ad079b05d3c49d70fe6ed1d07016 Mon Sep 17 00:00:00 2001
From: Alexander Simonov <alex@simonov.me>
Date: Wed, 8 Feb 2017 13:43:14 +0200
Subject: [PATCH] Fix #315 and resolve relative path vulnerability
---
lib/zip/entry.rb | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/lib/zip/entry.rb b/lib/zip/entry.rb
index 2fa8bac..fc3e357 100755
--- a/lib/zip/entry.rb
+++ b/lib/zip/entry.rb
@@ -148,6 +148,11 @@ module Zip
def extract(dest_path = @name, &block)
block ||= proc { ::Zip.on_exists_proc }
+ if @name.squeeze('/') =~ /\.{2}(?:\/|\z)/
+ puts "WARNING: skipped \"../\" path component(s) in #{@name}"
+ return self
+ end
+
if directory? || file? || symlink?
self.__send__("create_#{@ftype}", dest_path, &block)
else
distrib
>
Mageia
>
6
>
armv7hl
>
media
>
core-updates-src
>
by-pkgid
>
78743525841ca093cfb2976f9766ef3d
>
files
>
1
