Mirrors/velopack
1
0
Fork 0
mirror of https://github.com/velopack/velopack.git synced 2025-10-25 15:19:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

Prevent zip path exploits

Browse Source
This commit is contained in:
Caelan Sayler
2024-03-17 21:39:21 +00:00
parent 35e8852ad0
commit 4c3fcc74db
1 changed files with 3 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
src/Rust/src/shared/bundle.rs
View File

@@ -294,8 +294,9 @@ impl BundleInfo<'_> {
let mut archive = self.zip.borrow_mut();
for i in 0..archive.len() {
let file = archive.by_index(i)?;
let key = file.name();
files.push(key.to_string());
let key = file.enclosed_name().ok_or_else(
|| anyhow!("Could not extract file safely ({}). Ensure no paths in archive are absolute or point to a path outside the archive.", file.name()))?;
files.push(key.to_string_lossy().to_string());
}
Ok(files)
}