COMPRESS-495 remove vulnerable and obsolete 7z extraction example

apache · Oct 12, 2019 · 205876d · 205876d
1 parent 26b78ce
commit 205876d
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 39 deletions.
diff --git a/src/changes/changes.xml b/src/changes/changes.xml
@@ -59,6 +59,12 @@ The <action> type attribute can be add,update,fix,remove.
         Deflate64CompressorInputStream.read would return 0 for some
         inputs in violation of the InputStream.read contract.
       </action>
+      <action issue="COMPRESS-495" type="remove" date="2019-10-12">
+        Removed the extraction code from the example CLI class inside
+        of the SevenZ package. Not only is it superseeded by the
+        examples package, its implementation was vulnerable to the
+        ZipSlip attack.
+      </action>
     </release>
     <release version="1.19" date="2019-08-27"
              description="Release 1.19

diff --git a/src/main/java/org/apache/commons/compress/archivers/sevenz/CLI.java b/src/main/java/org/apache/commons/compress/archivers/sevenz/CLI.java
@@ -63,44 +63,6 @@ private String getContentMethods(final SevenZArchiveEntry entry) {
                 }
                 return sb.toString();
             }
-        },
-        EXTRACT("Extracting") {
-            private final byte[] buf = new byte[8192];
-            @Override
-            public void takeAction(final SevenZFile archive, final SevenZArchiveEntry entry)
-                throws IOException {
-                final File outFile = new File(entry.getName());
-                if (entry.isDirectory()) {
-                    if (!outFile.isDirectory() && !outFile.mkdirs()) {
-                        throw new IOException("Cannot create directory " + outFile);
-                    }
-                    System.out.println("created directory " + outFile);
-                    return;
-                }
-
-                System.out.println("extracting to " + outFile);
-                final File parent = outFile.getParentFile();
-                if (parent != null && !parent.exists() && !parent.mkdirs()) {
-                    throw new IOException("Cannot create " + parent);
-                }
-                try (final OutputStream fos = Files.newOutputStream(outFile.toPath())) {
-                    final long total = entry.getSize();
-                    long off = 0;
-                    while (off < total) {
-                        final int toRead = (int) Math.min(total - off, buf.length);
-                        final int bytesRead = archive.read(buf, 0, toRead);
-                        if (bytesRead < 1) {
-                            throw new IOException("Reached end of entry "
-                                                  + entry.getName()
-                                                  + " after " + off
-                                                  + " bytes, expected "
-                                                  + total);
-                        }
-                        off += bytesRead;
-                        fos.write(buf, 0, bytesRead);
-                    }
-                }
-            }
         };
 
         private final String message;
@@ -134,7 +96,7 @@ public static void main(final String[] args) throws Exception {
     }
 
     private static void usage() {
-        System.out.println("Parameters: archive-name [list|extract]");
+        System.out.println("Parameters: archive-name [list]");
     }
 
     private static Mode grabMode(final String[] args) {