o Updated to guard against directory traversal issues.

Fixes #4
codehaus-plexus · May 7, 2016 · 33a2853 · 33a2853
1 parent f933e5e
commit 33a2853
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/src/main/java/org/codehaus/plexus/util/Expand.java b/src/main/java/org/codehaus/plexus/util/Expand.java
@@ -136,6 +136,12 @@ protected void extractFile( File srcF, File dir, InputStream compressedInputStre
         throws Exception
     {
         File f = FileUtils.resolveFile( dir, entryName );
+
+        if ( !f.getAbsolutePath().startsWith( dir.getAbsolutePath() ) )
+        {
+            throw new IOException( "Entry '" + entryName + "' outside the target directory." );
+        }
+
         try
         {
             if ( !overwrite && f.exists() && f.lastModified() >= entryDate.getTime() )