Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[DS-4131] Fix zip import handling to avoid path traversal exploit
- Loading branch information
Showing
1 changed file
with
36 additions
and
7 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
7af52a0
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It seems that this commit doesn't work in a Windows environment. I just tested this in a fresh install of Windows and the import failed. The log shows this:
ERROR org.dspace.app.itemimport.ItemImportServiceImpl @ Rejecting zip file: SimpleArchiveFormat.zip as it contains an entry that would be extracted outside the temporary unzip directory: C:\DSpace\imports\SimpleArchiveFormat.zip\SimpleArchiveFormat
From the command line, it returns this error:
The Batch Import (ZIP) in the web UI doesn't also work.
Using the same zip file, the import was successful when I tested this on a fresh install of Ubuntu.
7af52a0
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @eulereadgbe , I suspect either
System.getProperty("file.separator")
didn't do what we expect for windows, or we're not using it consistently to construct the path