From ce4208fdecc2ad079b05d3c49d70fe6ed1d07016 Mon Sep 17 00:00:00 2001 From: Alexander Simonov <alex@simonov.me> Date: Wed, 8 Feb 2017 13:43:14 +0200 Subject: [PATCH] Fix #315 and resolve relative path vulnerability --- lib/zip/entry.rb | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/lib/zip/entry.rb b/lib/zip/entry.rb index 2fa8bac..fc3e357 100755 --- a/lib/zip/entry.rb +++ b/lib/zip/entry.rb @@ -148,6 +148,11 @@ module Zip def extract(dest_path = @name, &block) block ||= proc { ::Zip.on_exists_proc } + if @name.squeeze('/') =~ /\.{2}(?:\/|\z)/ + puts "WARNING: skipped \"../\" path component(s) in #{@name}" + return self + end + if directory? || file? || symlink? self.__send__("create_#{@ftype}", dest_path, &block) else