Skip to content
Permalink
Browse files

Merge pull request #3482 from daniel-beck/zip-slip-tar

[JENKINS-51777] Don't let tar entries escape target dir
  • Loading branch information...
oleg-nenashev committed Jun 9, 2018
2 parents ee384ba + 7438abb commit 1afd9f8c6ea02d6e2e3b80eb384526b61f43cd80
Showing with 4 additions and 0 deletions.
  1. +4 −0 core/src/main/java/hudson/FilePath.java
@@ -2602,6 +2602,10 @@ private void readFromTar(String name, File baseDir, InputStream in) throws IOExc
TarArchiveEntry te;
while ((te = t.getNextTarEntry()) != null) {
File f = new File(baseDir, te.getName());
if (!f.toPath().normalize().startsWith(baseDir.toPath())) {
throw new IOException(
"Tar " + name + " contains illegal file name that breaks out of the target directory: " + te.getName());
}
if (te.isDirectory()) {
mkdirs(f);
} else {

0 comments on commit 1afd9f8

Please sign in to comment.
You can’t perform that action at this time.