Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

normalize filenames in zip #124

Closed
wants to merge 1 commit into from
Closed

normalize filenames in zip #124

wants to merge 1 commit into from

Conversation

jiahao42
Copy link

@jiahao42 jiahao42 commented May 9, 2020

This pull request aims to fix #123, so that when a filename in zip is ../../../../../../tmp/evil.txt, it will be normalized to tmp/evil.txt.

@jiahao42 jiahao42 mentioned this pull request May 9, 2020
Closed
@kuba--
Copy link
Owner

kuba-- commented May 9, 2020

Thanks for PR.

Would be good not to modify miniz.h file, because I'm planning to upgrade (some day).
I know it's been already hacked a little bit, but it also slows down an upgrade process.

Moreover ISSLASH (and other helper functions) is already defined in zip.c, so I suggest to put it there.
Also I would try to have API similar to:
char *realpath(const char *restrict file_name, char *restrict resolved_name);
from stdlib.
or you can take a look (and simplify) how it's done in unzip tool:
https://github.com/madler/unzip/blob/47b3ceae397d21bf822bc2ac73052a4b1daf8e1c/unix/unix.c#L519

@jiahao42
Copy link
Author

jiahao42 commented May 9, 2020

Thanks for the suggestions, that's very constructive!

I will probably modify the PR later and see if could work better :)

@jinfeihan57
Copy link
Collaborator

@jiahao42 @kuba--

I test this PR. It's handled differently than 7zip. test file:
test.zip

when I create a zip using zip_entry_open(zip, "test/dir1/../../../../../../../../../../../test-2.txt");
using this PR to zip_extract(argv[1], ".", on_extract_entry, &arg);
file test-2.txt is in current folder. and dir1 folder is missing.
using 7zip to extract:
file test-2.txt is in test/dir1/test-2.txt.
Same result Peazip.

So I will adjust this part.

@kuba--
Copy link
Owner

kuba-- commented Aug 24, 2020

@jiahao42 @kuba--

I test this PR. It's handled differently than 7zip. test file:
test.zip

when I create a zip using zip_entry_open(zip, "test/dir1/../../../../../../../../../../../test-2.txt");
using this PR to zip_extract(argv[1], ".", on_extract_entry, &arg);
file test-2.txt is in current folder. and dir1 folder is missing.
using 7zip to extract:
file test-2.txt is in test/dir1/test-2.txt.
Same result Peazip.

So I will adjust this part.

I suggested to take a look how it's done in zlib.
There is kill dots flag

@jinfeihan57
Copy link
Collaborator

@kuba--
unzip skip “../”. check here just like 7zip and p7zip

@kuba--
Copy link
Owner

kuba-- commented Aug 25, 2020

@kuba--
unzip skip “../”. check here just like 7zip and p7zip

Of course, that's why I'm not saying to close this PR, but to reimplement it (see comment above).
Unzip also skips front '/' in entry name.

@kuba-- kuba-- closed this Aug 28, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Directory traversal vulnerability when handling crafted zip file
3 participants
@jiahao42 @kuba-- @jinfeihan57