Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

zip slip vulnerability #358

Closed
xuwei-k opened this issue Oct 15, 2023 · 1 comment 路 Fixed by #360
Closed

zip slip vulnerability #358

xuwei-k opened this issue Oct 15, 2023 · 1 comment 路 Fixed by #360

Comments

@xuwei-k
Copy link
Member

xuwei-k commented Oct 15, 2023

How to fix? 馃
eed3si9n added a commit to eed3si9n/io that referenced this issue Oct 22, 2023
@eed3si9n
Fixes zip-slip vulnerability
43f1e24 
Fixes sbt#358
Ref codehaus-plexus/plexus-archiver 87

**Problem**
IO.unzip currently has zip-slip vulnerability, which can write arbitrary
files on the machine using specially crafted zip archive that holds path
traversal file names.

**Solution**
This replicates the fix originally sent to plex-archiver by Snyk Team.
@eed3si9n eed3si9n mentioned this issue Oct 22, 2023
Merged
@eed3si9n
Copy link
Member

I have a fix here - #360

eed3si9n added a commit to eed3si9n/io that referenced this issue Oct 22, 2023
@eed3si9n
Fixes zip-slip vulnerability
f928cdd 
Fixes sbt#358
Ref codehaus-plexus/plexus-archiver 87

**Problem**
IO.unzip currently has zip-slip vulnerability, which can write arbitrary
files on the machine using specially crafted zip archive that holds path
traversal file names.

**Solution**
This replicates the fix originally sent to plex-archiver by Snyk Team.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fixes zip-slip vulnerability eed3si9n/io
2 participants
@eed3si9n @xuwei-k