Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Directory traversal vulnerability when handling crafted zip file #123

Closed
jiahao42 opened this issue May 9, 2020 · 3 comments
Closed

Directory traversal vulnerability when handling crafted zip file #123

jiahao42 opened this issue May 9, 2020 · 3 comments
Labels
bug Something isn't working

Comments

@jiahao42
Copy link

jiahao42 commented May 9, 2020

Impact

This vulnerability could allow the attacker to write a file to an arbitrary directory.

How to reproduce

On the latest version (0.1.19) and the master branch of zip:

To reproduce the issue, you may try to extract this crafted zip file, which contains two files good.txt and ../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../tmp/evil.txt. After extraction, you will find evil.txt is at /tmp, which should be at ./tmp.

Here is the [PoC repo] (https://github.com/jiahao42/PoC/tree/master/zip%40kuba--).

Root cause

This root cause is that zip doesn't normalize the path in mz_zip_reader_file_stat in miniz.h.

Patch

#124 should be able to fix the problem.

@kuba-- kuba-- added the bug Something isn't working label May 9, 2020
@jinfeihan57
Copy link
Collaborator

@kuba-- @jiahao42
This issue only happens on API zip_extract( ). Am I right?
API zip_entry_open( ) and zip_entry_fread( ) , The full name of the archive file must be specified.
so the file path designated by programmers,It's should not wrong.
@jiahao42
It's been a long time. Are you still working on #124 .
If you stoped, I think I can help.

@jiahao42
Copy link
Author

Hi, it would be great if you are willing to help, thanks.

@kuba--
Copy link
Owner

kuba-- commented Aug 26, 2020

Hi, it would be great if you are willing to help, thanks.

https://github.com/kuba--/zip/pull/136#issuecomment-681007967

kuba-- pushed a commit that referenced this issue Aug 28, 2020
* normalize entry names on extract
@kuba-- kuba-- closed this as completed Aug 28, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants