Skip to content
Permalink
Browse files

[JENKINS-51777] Don't let tar entries escape target dir

  • Loading branch information...
daniel-beck committed Jun 7, 2018
1 parent e992e11 commit 7438abb88fc7d9bbd5f2b265e8fb191179a3c553
Showing with 4 additions and 0 deletions.
  1. +4 −0 core/src/main/java/hudson/FilePath.java
@@ -2452,6 +2452,10 @@ private void readFromTar(String name, File baseDir, InputStream in) throws IOExc
TarArchiveEntry te;
while ((te = t.getNextTarEntry()) != null) {
File f = new File(baseDir, te.getName());
if (!f.toPath().normalize().startsWith(baseDir.toPath())) {
throw new IOException(
"Tar " + name + " contains illegal file name that breaks out of the target directory: " + te.getName());
}
if (te.isDirectory()) {
mkdirs(f);
} else {

0 comments on commit 7438abb

Please sign in to comment.
You can’t perform that action at this time.