Skip to content
Permalink
Browse files Browse the repository at this point in the history
fix zip path traversal vulnerability
  • Loading branch information
Calsign committed May 18, 2020
1 parent 15bb52a commit c6d64cb
Show file tree
Hide file tree
Showing 2 changed files with 5 additions and 1 deletion.
Expand Up @@ -271,6 +271,10 @@ private static boolean handleExtract(InputStream inputStream, File folder) {
ZipEntry zipEntry;
while ((zipEntry = zipIn.getNextEntry()) != null) {
File file = new File(folder, zipEntry.getName());
if (file.getCanonicalPath().startsWith(folder.getCanonicalPath())) {
System.err.println("Aborted zip! Attempted zip path traversal attack extracting to: " + folder.getAbsolutePath());
return false;
}

if (zipEntry.isDirectory()) {
if (!file.exists() && !file.mkdirs()) return false;
Expand Down
2 changes: 1 addition & 1 deletion build.gradle
Expand Up @@ -5,7 +5,7 @@ buildscript {
google()
}
dependencies {
classpath 'com.android.tools.build:gradle:3.6.2'
classpath 'com.android.tools.build:gradle:3.6.3'
}
}

Expand Down

0 comments on commit c6d64cb

Please sign in to comment.