You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There is an unhandeled edge case where we can crash the application when it tries to unzip a specially crafted zip file
Technical details:
Below is a code snippet from the _sanitizedPath function used to sanitize file paths coming from zip entries before extraction to prevent path traversal, the function prepends file:/// to the provided path, standardizes it using NSURL and then removes the prepended file:///, when provided with the following path however /.., the standardized path returned by NSURL becomes file://, which has 7 characters, the package however expects at least 8 characters (length of the prepended text), this results in crashing the application.
// Add scheme "file:///" to support sanitation on names with a colon like "file:a/../../../usr/bin"
strPath =[@"file:///" stringByAppendingString:strPath];
// Sanitize path traversal characters to prevent directory backtracking. Ignoring these characters mimicks the default behavior of the Unarchiving tool on macOS.// "../../../../../../../../../../../tmp/test.txt" -> "tmp/test.txt"// "a/b/../c.txt" -> "a/c.txt"
strPath =[NSURL URLWithString:strPath].standardizedURL.absoluteString;
// Remove the "file:///" scheme
strPath =[strPath substringFromIndex:8];
Description:
There is an unhandeled edge case where we can crash the application when it tries to unzip a specially crafted zip file
Technical details:
Below is a code snippet from the
_sanitizedPath
function used to sanitize file paths coming from zip entries before extraction to prevent path traversal, the function prependsfile:///
to the provided path, standardizes it usingNSURL
and then removes the prependedfile:///
, when provided with the following path however/..
, the standardized path returned byNSURL
becomesfile://
, which has 7 characters, the package however expects at least 8 characters (length of the prepended text), this results in crashing the application.PoC:
The text was updated successfully, but these errors were encountered: