Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[filesystem] ZipManager: skip path traversal #12024

Merged
merged 1 commit into from May 11, 2017
Merged

[filesystem] ZipManager: skip path traversal #12024

merged 1 commit into from May 11, 2017

Conversation

Rechi
Copy link
Member

@Rechi Rechi commented Apr 28, 2017

Description

Skip items in a zip file, which try to traverse to a parent directory.
Backport of #12023

Motivation and Context

Without this a zip file can override every file the current user has write permission.

How Has This Been Tested?

Tested with a malicious zip file.

Types of change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

  • My code follows the Code guidelines of this project
  • My change requires a change to the documentation, either Doxygen or wiki
  • I have updated the documentation accordingly
  • I have read the CONTRIBUTING document
  • I have added tests to cover my change
  • All new and existing tests passed

@Rechi Rechi added Type: Backport Type: Fix non-breaking change which fixes an issue v17 Krypton labels Apr 28, 2017
@Rechi Rechi added this to the Krypton 17.2-RC1 milestone Apr 28, 2017
@Rechi
Copy link
Member Author

Rechi commented May 10, 2017

updated to be equal with #12023

@MartijnKaijser
Copy link
Member

jenkins build this please

2 similar comments
@MartijnKaijser
Copy link
Member

jenkins build this please

@Rechi
Copy link
Member Author

Rechi commented May 11, 2017

jenkins build this please

@MartijnKaijser MartijnKaijser merged commit 089bed6 into xbmc:Krypton May 11, 2017
@Rechi Rechi deleted the zipTraversalKrypton branch May 11, 2017 07:02
@ghost ghost mentioned this pull request May 23, 2017
Open
@iguana007 iguana007 mentioned this pull request May 24, 2017
Closed
@pappalar
Copy link

pappalar commented May 24, 2017
edited

Hello,

is this already available here?
https://kodi.tv/download

I see it is in the milestone and from https://kodi.tv/download seems that 17.2 has been released also there.

I just wanted to double check.
(also it is all on all platforms right?)

@pappalar
Copy link

Ok I found the article here: https://kodi.tv/article/kodi-v172-minor-bug-fix-and-security-release
Thanks :D

@razvansalajan
Copy link

Hi,

I will make a presentation about Hacked in translation at one of my computer science courses. I would like also to reproduce the bug with a zip file. Could any of you guys can help me out with a malicious zip file?

@stefansaraev
Copy link
Contributor

stefansaraev commented Jun 19, 2017
edited

@razvansalajan sorry for being harsh on you, but you should be able to make one yourself.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
Type: Backport Type: Fix non-breaking change which fixes an issue v17 Krypton
Projects
None yet
Milestone
Krypton 17.2
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@Rechi @MartijnKaijser @pappalar @razvansalajan @stefansaraev