From e7cc06e7458303913498779af2c2fa3353f4dab1 Mon Sep 17 00:00:00 2001
From: aviadatsnyk <aviad@snyk.io>
Date: Sun, 6 May 2018 16:44:17 +0300
Subject: [PATCH] handle absolute paths correctly when unzipping

When checking that an unzipped file does not break out of the target directory - this handles '..' in absolute paths correctly, where the previous implementation might not.
---
 core/src/main/java/hudson/FilePath.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/src/main/java/hudson/FilePath.java b/core/src/main/java/hudson/FilePath.java
index 0bcc31c32b97..089d8f8ff8e5 100644
--- a/core/src/main/java/hudson/FilePath.java
+++ b/core/src/main/java/hudson/FilePath.java
@@ -598,7 +598,7 @@ private void unzip(File dir, File zipFile) throws IOException {
             while (entries.hasMoreElements()) {
                 ZipEntry e = entries.nextElement();
                 File f = new File(dir, e.getName());
-                if (!f.toPath().normalize().startsWith(dir.toPath())) {
+                if (!f.getCanonicalPath().startsWith(dir.getCanonicalPath())) {
                     throw new IOException(
                         "Zip " + zipFile.getPath() + " contains illegal file name that breaks out of the target directory: " + e.getName());
                 }