Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[filesystem] ZipManager: skip path traversal #12023

Merged
merged 1 commit into from May 10, 2017

Conversation

Projects
None yet
4 participants
@Rechi
Copy link
Member

Rechi commented Apr 28, 2017

Description

Skip items in a zip file, which try to traverse to a parent directory.

Motivation and Context

Without this a zip file can override every file the current user has write permission.

How Has This Been Tested?

Tested with a malicious zip file.

Types of change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

  • My code follows the Code guidelines of this project
  • My change requires a change to the documentation, either Doxygen or wiki
  • I have updated the documentation accordingly
  • I have read the CONTRIBUTING document
  • I have added tests to cover my change
  • All new and existing tests passed

@ace20022 @MartijnKaijser @wsnipex FYI

@Rechi Rechi added this to the L 18.0-alpha1 milestone Apr 28, 2017

@wsnipex

This comment has been minimized.

Copy link
Member

wsnipex commented Apr 28, 2017

thanks! jenkins build this please

@Rechi Rechi referenced this pull request Apr 28, 2017

Merged

[filesystem] ZipManager: skip path traversal #12024

3 of 9 tasks complete
@tamland

This comment has been minimized.

Copy link
Member

tamland commented Apr 28, 2017

Please add some tests that verifies this.

@Rechi

This comment has been minimized.

Copy link
Member Author

Rechi commented Apr 28, 2017

@tamland should I add tests which only check the regex or also check with a real zip file?

@tamland

This comment has been minimized.

Copy link
Member

tamland commented Apr 28, 2017

I think just the regex/file filtering should be good enough.
Not sure how smart it would be to unpack a real malicious zip to a real directory..:)

@Rechi

This comment has been minimized.

Copy link
Member Author

Rechi commented Apr 28, 2017

added some testcases
Still not sure if I create a new testcase file is valid.

#include <string>
#include <vector>
#include <map>

class CURL;

static const std::regex PATH_TRAVERASL("(^|\\/|\\\\)\\.{2}($|\\/|\\\\)");

This comment has been minimized.

Copy link
@Paxxi

Paxxi May 7, 2017

Member

spelling error 😄
Also you can use a raw string R"_((^|\/|\\)\.{2}($|\/|\\))_" a bit messy but makes the regex a bit simpler to read

@Rechi Rechi force-pushed the Rechi:zipTraversal branch from bc7922e to c659486 May 7, 2017

@Rechi

This comment has been minimized.

Copy link
Member Author

Rechi commented May 7, 2017

@Paxxi updated

@Paxxi
Copy link
Member

Paxxi left a comment

Looks good to me

@Rechi

This comment has been minimized.

Copy link
Member Author

Rechi commented May 9, 2017

@tamland @wsnipex please have a look again as I've done a few changes

@wsnipex

This comment has been minimized.

Copy link
Member

wsnipex commented May 10, 2017

looks good

@Rechi

This comment has been minimized.

Copy link
Member Author

Rechi commented May 10, 2017

jenkins build this please

@Rechi Rechi merged commit fba3536 into xbmc:master May 10, 2017

2 of 3 checks passed

continuous-integration/travis-ci/pr The Travis CI build failed
Details
continuous-integration/appveyor/pr AppVeyor build succeeded
Details
default You're awesome. Have a cookie
Details

@Rechi Rechi deleted the Rechi:zipTraversal branch May 10, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.