Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow tilde in zip entry names #391

Merged
merged 1 commit into from May 23, 2019
Merged

Conversation

@jdleesmiller
Copy link
Member

@jdleesmiller jdleesmiller commented Mar 3, 2019

Use absolute_path rather than expand_path to allow tilde to pass through unchanged. Otherwise, we try to expand it to a home directory.

For example, a zip containing a file named ~tilde~ caused this error on extraction:

  1) Error:
PathTraversalTest#test_entry_name_with_tilde:
ArgumentError: user tilde~ doesn't exist
    /Users/john/ex/rubyzip/lib/zip/entry.rb:120:in `expand_path'

because it interpreted ~tilde~ as "get me the path to the home directory of the user tilde~.

An entry name containing ~ should still be considered 'safe', provided that the user doesn't use it in a shell context where the ~ would again be expanded.

This was introduced in #376 .

Thanks to @mmazour for catching this.

@coveralls
Copy link

@coveralls coveralls commented Mar 3, 2019

Coverage Status

Coverage increased (+4.08%) to 99.836% when pulling ad15c3c on jdleesmiller:fix-expand-path into 8ece5c9 on rubyzip:master.

Use absolute_path rather than expand_path to allow tilde to pass through
unchanged. Otherwise, we try to expand it to a home directory.
@jdleesmiller jdleesmiller force-pushed the jdleesmiller:fix-expand-path branch from 1ab4c73 to ad15c3c Mar 22, 2019
@jdleesmiller jdleesmiller merged commit ef516bd into rubyzip:master May 23, 2019
2 checks passed
2 checks passed
continuous-integration/travis-ci/pr The Travis CI build passed
Details
coverage/coveralls Coverage increased (+4.08%) to 99.836%
Details
@jdleesmiller jdleesmiller deleted the jdleesmiller:fix-expand-path branch May 23, 2019
This was referenced Mar 11, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

2 participants