Skip to content

Commit

Permalink
LPS-149266 - add check to ZipSlip vulnerability in FileImpl
Browse files Browse the repository at this point in the history
  • Loading branch information
jeffwu0724 authored and brianchandotcom committed Jul 19, 2022
1 parent 3c7c8f9 commit 5976cb6
Showing 1 changed file with 16 additions and 0 deletions.
16 changes: 16 additions & 0 deletions portal-impl/src/com/liferay/portal/util/FileImpl.java
Original file line number Diff line number Diff line change
Expand Up @@ -778,6 +778,22 @@ public void unzip(File source, File destination) {
while ((entry = zipInputStream.getNextEntry()) != null) {
File destinationFile = new File(destination, entry.getName());

String destinationFileCanonicalPath =
destinationFile.getCanonicalPath();

if (!destinationFileCanonicalPath.startsWith(
destination.getCanonicalPath() + File.separator)) {

if (_log.isWarnEnabled()) {
_log.warn(
StringBundler.concat(
"Entry Name: ", entry.getName(),
" is not valid"));
}

continue;
}

if (entry.isDirectory()) {
destinationFile.mkdirs();
}
Expand Down

0 comments on commit 5976cb6

Please sign in to comment.