handle absolute paths correctly when unzipping

When checking that an unzipped file does not break out of the target directory - this handles '..' in absolute paths correctly, where the previous implementation might not.
jenkinsci · May 8, 2018 · e7cc06e · e7cc06e
1 parent 7250d8b
commit e7cc06e
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/core/src/main/java/hudson/FilePath.java b/core/src/main/java/hudson/FilePath.java
@@ -598,7 +598,7 @@ private void unzip(File dir, File zipFile) throws IOException {
             while (entries.hasMoreElements()) {
                 ZipEntry e = entries.nextElement();
                 File f = new File(dir, e.getName());
-                if (!f.toPath().normalize().startsWith(dir.toPath())) {
+                if (!f.getCanonicalPath().startsWith(dir.getCanonicalPath())) {
                     throw new IOException(
                         "Zip " + zipFile.getPath() + " contains illegal file name that breaks out of the target directory: " + e.getName());
                 }