Permalink
Browse files

addressed Unzip zip-slip-vulnerability

closes #2098
  • Loading branch information...
WanWizard committed Jul 18, 2018
1 parent 0a7931b commit 95945e137a4cd28696860dccfeadbb3f0a3e9a1c
Showing with 10 additions and 3 deletions.
  1. +10 −3 classes/unzip.php
@@ -129,9 +129,16 @@ public function extract($zip_file, $target_dir = NULL, $preserve_filepath = TRUE
continue;
}
$file_locations[] = $file_location = $this->_target_dir . '/' . ($preserve_filepath ? $file : basename($file));
$this->_extract_file($file, $file_location);
$file_location = realpath($this->_target_dir . '/' . ($preserve_filepath ? $file : basename($file)));
if ($file_location and strpos($file_location, $this->_target_dir) === 0)
{
$file_locations[] = $file_location;
$this->_extract_file($file, $file_location);
}
else
{
throw new \FuelException('ZIP file attempted to use the zip-slip-vulnerability. Extraction aborted.');
}
}
return $file_locations;

0 comments on commit 95945e1

Please sign in to comment.