New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[filesystem] ZipManager: skip path traversal #12023
Conversation
thanks! jenkins build this please |
Please add some tests that verifies this. |
@tamland should I add tests which only check the regex or also check with a real zip file? |
I think just the regex/file filtering should be good enough. |
added some testcases |
xbmc/filesystem/ZipManager.h
Outdated
#include <string> | ||
#include <vector> | ||
#include <map> | ||
|
||
class CURL; | ||
|
||
static const std::regex PATH_TRAVERASL("(^|\\/|\\\\)\\.{2}($|\\/|\\\\)"); |
This comment was marked as spam.
This comment was marked as spam.
Sorry, something went wrong.
@Paxxi updated |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me
looks good |
jenkins build this please |
Description
Skip items in a zip file, which try to traverse to a parent directory.
Motivation and Context
Without this a zip file can override every file the current user has write permission.
How Has This Been Tested?
Tested with a malicious zip file.
Types of change
Checklist:
@ace20022 @MartijnKaijser @wsnipex FYI