Skip to content
Permalink
Browse files Browse the repository at this point in the history
Merge pull request #544 from oxygen-dioxide/zipslip
Prevent from zip slip attack / 防范zip上级文件夹攻击
  • Loading branch information
stakira committed Nov 14, 2022
2 parents 863afd5 + 4a81de2 commit 849a0a6
Showing 1 changed file with 14 additions and 11 deletions.
25 changes: 14 additions & 11 deletions OpenUtau.Core/Classic/VoicebankInstaller.cs
Expand Up @@ -43,18 +43,21 @@ public class VoicebankInstaller {
int count = 0;
bool hasCharacterYaml = archive.Entries.Any(e => e.Key.EndsWith(kCharacterYaml));
foreach (var entry in archive.Entries) {
var filePath = Path.Combine(basePath, entry.Key);
Directory.CreateDirectory(Path.GetDirectoryName(filePath));
if (!entry.IsDirectory && entry.Key != kInstallTxt) {
entry.WriteToFile(Path.Combine(basePath, entry.Key), extractionOptions);
if (!hasCharacterYaml && filePath.EndsWith(kCharacterTxt)) {
var config = new VoicebankConfig() {
TextFileEncoding = textEncoding.WebName,
};
using (var stream = File.Open(filePath.Replace(".txt", ".yaml"), FileMode.Create)) {
config.Save(stream);
if (!(entry.Key.Contains("..")))//detect zipSlip attack
{
var filePath = Path.Combine(basePath, entry.Key);
Directory.CreateDirectory(Path.GetDirectoryName(filePath));
if (!entry.IsDirectory && entry.Key != kInstallTxt) {
entry.WriteToFile(Path.Combine(basePath, entry.Key), extractionOptions);
if (!hasCharacterYaml && filePath.EndsWith(kCharacterTxt)) {
var config = new VoicebankConfig() {
TextFileEncoding = textEncoding.WebName,
};
using (var stream = File.Open(filePath.Replace(".txt", ".yaml"), FileMode.Create)) {
config.Save(stream);
}
}
}
}
}
progress.Invoke(100.0 * ++count / total, entry.Key);
}
Expand Down

0 comments on commit 849a0a6

Please sign in to comment.