Summary: | Unzip allowFilesToEscapeDest=false don't check for relative paths in some cases (../../../) | ||
---|---|---|---|
Product: | Ant | Reporter: | Oliver <Oliver.Warz> |
Component: | Core tasks | Assignee: | Ant Notifications List <notifications> |
Status: | RESOLVED FIXED | ||
Severity: | normal | ||
Priority: | P2 | ||
Version: | 1.10.4 | ||
Target Milestone: | 1.10.5 | ||
Hardware: | PC | ||
OS: | All |
Description
Oliver
2018-06-28 12:30:09 UTC
I can reproduce this on a Linux box as well, thank you for the heads up! My fault, sorry for that. We are currently discussing how to fix it, for context see https://lists.apache.org/thread.html/ed2b2068699fae5c84c8772fca6b854d43ec7e9506c292b3af22da46@%3Cdev.ant.apache.org%3E Thanks, it is supposed ot be fixed in both branches now. It would be good if you could build Ant from master and confirm it also works on Windows as expected. (In reply to Stefan Bodewig from comment #3) > Thanks, it is supposed ot be fixed in both branches now. It would be good if > you could build Ant from master and confirm it also works on Windows as > expected. I did a minimal test for unzip/untar/unjar and allowFilesToEscapeDest="false" worked as expected on Windows 10. Thanks for the quick reply and the great build tool. ant -d Apache Ant(TM) version 1.10.5alpha compiled on July 3 2018 ... [unzip] Expanding: C:\test\zip-slip-win.zip into C:\test\dest [unzip] extracting good.txt [unzip] expanding good.txt to C:\test\dest\good.txt [unzip] extracting ..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\Temp\evil.txt [unzip] skipping ..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\Temp\evil.txt as its target C:\Temp\evil.txt is outside of C:\test\dest. [unzip] expand complete BUILD SUCCESSFUL Total time: 0 seconds On Windows 10, this fix slows down the unzip task considerably - actually threefold in a specific case (JBoss EAP 6.4 distribution zipfile). I suppose this is caused by getCanonicalPath(). I will create a new ticket for this. |