Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Minizip allows extraction outside root folder #433

Closed
tim-janik opened this issue Oct 22, 2019 · 2 comments
Closed

Minizip allows extraction outside root folder #433

tim-janik opened this issue Oct 22, 2019 · 2 comments
Labels
fixed Issue or bug has been fixed security Security issue

Comments

@tim-janik
Copy link

With a specially crafted ZIP file, Minizip (via mz_zip_reader_save_all()) will write into $CWD/..

Minizip 2.9.0 - https://github.com/nmoinvaz/minizip
---------------------------------------------------
-l t.zip 
      Packed     Unpacked Ratio Method   Attribs Date     Time  CRC-32     Name
      ------     -------- ----- ------   ------- ----     ----  ------     ----
          17           17  100% Stored  81800080 11-04-06 11:33 c7f761e7   ././y/x/../../../../../../../tmp/zz
          21           56   37% Defl:X  81800080 10-22-19 23:48 572b1c12   ././y/x/../../../../../../../tmp/zz

Extraction:

Minizip 2.9.0 - https://github.com/nmoinvaz/minizip
---------------------------------------------------
-x t.zip 
Archive t.zip
Extracting ././y/x/../../../../../../../tmp/zz
The file ../tmp/zz exists. Overwrite ? [y]es, [n]o, [A]ll:

Note how e.g. UnZip 6.00 handles this situation:

$ unzip t.zip
Archive:  t.zip
warning:  skipped "../" path component(s) in ././y/x/../../../../../../../tmp/zz
 extracting: y/x/tmp/zz              
warning:  skipped "../" path component(s) in ././y/x/../../../../../../../tmp/zz
replace y/x/tmp/zz? [y]es, [n]o, [A]ll, [N]one, [r]ename:
@Coeur
Copy link
Contributor

Coeur commented Oct 23, 2019

For reference, SSZipArchive (which uses minizip internally) shouldn't be affected by this issue, as I'm using native (Apple) path sanitation:
https://github.com/ZipArchive/ZipArchive/blob/63cc9b455c32cbbeb4df5017390e0f6a2af50c78/SSZipArchive/SSZipArchive.m#L1253-L1256

nmoinvaz added a commit that referenced this issue Oct 24, 2019
@nmoinvaz
Fixed path not resolving properly when it begins with ..\ more than o…
8d6875d 
…nce. #433
@nmoinvaz
Copy link
Member

nmoinvaz commented Oct 24, 2019
edited

It is now fixed in dev branch. Thanks. Ref #268.

nmoinvaz added a commit that referenced this issue Oct 29, 2019
@nmoinvaz
Fixed path not resolving properly when previous output buffer contain…
3118125 
…s certain characters. #433
nmoinvaz added a commit that referenced this issue Oct 29, 2019
@nmoinvaz
Fixed path not resolving properly when previous output buffer contain…
e22948c 
…s certain characters. #433
@nmoinvaz nmoinvaz added 1.2 Related to older version of minizip 1.2 fixed Issue or bug has been fixed security Security issue 2.0 and removed 1.2 Related to older version of minizip 1.2 labels Jan 10, 2021
tim-janik added a commit to tim-janik/anklang that referenced this issue Sep 21, 2023
@tim-janik
ASE: storage.cc: adjust old link to zlib-ng/minizip-ng/issues/433
f917758 
Signed-off-by: Tim Janik <timj@gnu.org>
tim-janik added a commit to tim-janik/anklang that referenced this issue Sep 21, 2023
@tim-janik
Merge branch 'minizip-ng-submodule'
596d8fe 
* minizip-ng-submodule:
  MISC: mkcopyright.py: ignore dirs passed from `git ls-tree` on the CLI
  .gitignore: remove entries of files the build is not generating
  ASE: storage.cc: adjust old link to zlib-ng/minizip-ng/issues/433
  ASE: minizip: build against external/minizip-ng/
  ASE: Makefile.mk: automatically update external/minizip-ng submodule as needed
  EXTERNAL: minizip-ng: add zlib-ng/minizip-ng version 2.9.0
	git submodule add --name minizip-ng https://github.com/zlib-ng/minizip-ng.git external/minizip-ng

Signed-off-by: Tim Janik <timj@gnu.org>
tim-janik added a commit to tim-janik/anklang that referenced this issue Sep 21, 2023
@tim-janik
ASE: storage.cc: adjust old link to zlib-ng/minizip-ng/issues/433
0e0013e 
Signed-off-by: Tim Janik <timj@gnu.org>
tim-janik added a commit to tim-janik/anklang that referenced this issue Sep 21, 2023
@tim-janik
Merge branch 'use-git-submodule'
22cf347 
* use-git-submodule:
  DOC: copyright.ini: apply MPL-2.0 to .gitmodules
  MISC: Makefile.mk: directly create and reference .dlcache/ for mkassets.sh
  MISC: Makefile.mk: mkassets: download builds tools before misc/mkassets.sh
  GITHUB: workflows/testing.yml: use `make mkassets` for release builds
  .gitignore: ignore .submodule-stamp
  UI: global.scss, index.html: move AnklangIcons to assets/
  UI: Makefile.mk: copy anklangicons-*.tgz files to assets, remove download
  EXTERNAL: blobs4anklang: add tim-janik/blobs4anklang commit from 2023-09-21 21:04:16
	git -C external/blobs4anklang/ checkout 7b0a4a68a1e9efbe68fc9761bef080995f4b4d6b
  UI: global.scss, index.html: move fork-awesome to assets/
  UI: Makefile.mk: copy node_modules/fork-awesome to assets, remove download
  MISC: package.json.in: install fork-awesome@1.2.0
  UI: Makefile.mk: use blobs4anklang/fonts/InterVariable.woff2, remove download
  EXTERNAL: blobs4anklang: add tim-janik/blobs4anklang commit from 2023-09-21 18:23:36
	git submodule add --name blobs4anklang https://github.com/tim-janik/blobs4anklang.git external/blobs4anklang
	git -C external/blobs4anklang/ checkout 8da35f3914b9668bacc6755a8051a17051b07c3a
  Makefile.mk: skip `git submodule` in tarball builds
  Makefile.mk: dist: exclude unused external subdirs from tarball
  Makefile.mk: include submodule archives in dist tarball
  ASE: Makefile.mk: use blake3 submodule, remove download rule
  ASE: compress.cc: use external/blake3/c/blake3.h
  EXTERNAL: blake3: add BLAKE3-team/BLAKE3 version 1.3.1
	git submodule add --name blake3 https://github.com/BLAKE3-team/BLAKE3.git external/blake3
	git -C external/blake3/ checkout 1.3.1
  ASE: Makefile.mk: use websocketpp submodule, remove download rule
  EXTERNAL: websocketpp: add zaphoyd/websocketpp version 0.8.2
	git submodule add --name websocketpp https://github.com/zaphoyd/websocketpp.git external/websocketpp
	git -C external/websocketpp/ checkout 0.8.2
  ASE: Makefile.mk: use clap submodule, remove download rule
  EXTERNAL: clap: add free-audio/clap version 1.1.1
	git submodule add --name clap https://github.com/free-audio/clap.git external/clap
	git -C external/clap/ checkout 1.1.1
  ASE: Makefile.mk: use rapidjson submodule, remove download rule
  EXTERNAL: rapidjson: add Tencent/rapidjson commit from 2022-05-24 10:03:13
	git submodule add --name rapidjson https://github.com/Tencent/rapidjson.git external/rapidjson
	git checkout 232389d4f1012dddec4ef84861face2d2ba85709
  Makefile.mk: update all submodules before building sources
  Makefile.mk: remove external/ subdir from ls-tree.lst
  MISC: mkcopyright.py: ignore dirs passed from `git ls-tree` on the CLI
  ASE: storage.cc: adjust old link to zlib-ng/minizip-ng/issues/433
  ASE: minizip: build against external/minizip-ng/
  ASE: Makefile.mk: use minizip-ng submodule, remove download rule
  EXTERNAL: minizip-ng: add zlib-ng/minizip-ng version 2.9.0
	git submodule add --name minizip-ng https://github.com/zlib-ng/minizip-ng.git external/minizip-ng
  .gitignore: remove entries of files the build is not generating

Signed-off-by: Tim Janik <timj@gnu.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
fixed Issue or bug has been fixed security Security issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tim-janik @Coeur @nmoinvaz