fix: don't extract files outside of target path
This should fix a security issue regarding path traversal in zip files. Signed-off-by: Sefa Eyeoglu <contact@scrumplex.net>
This commit is contained in:
parent
f36c3a3f6c
commit
6be7eed878
@ -275,7 +275,8 @@ bool MMCZip::findFilesInZip(QuaZip * zip, const QString & what, QStringList & re
|
||||
// ours
|
||||
std::optional<QStringList> MMCZip::extractSubDir(QuaZip *zip, const QString & subdir, const QString &target)
|
||||
{
|
||||
QDir directory(target);
|
||||
auto absDirectoryUrl = QUrl::fromLocalFile(target);
|
||||
|
||||
QStringList extracted;
|
||||
|
||||
qDebug() << "Extracting subdir" << subdir << "from" << zip->getZipName() << "to" << target;
|
||||
@ -317,11 +318,16 @@ std::optional<QStringList> MMCZip::extractSubDir(QuaZip *zip, const QString & su
|
||||
QString absFilePath;
|
||||
if(name.isEmpty())
|
||||
{
|
||||
absFilePath = directory.absoluteFilePath(name) + "/";
|
||||
absFilePath = FS::PathCombine(target, "/"); // FIXME this seems weird
|
||||
}
|
||||
else
|
||||
{
|
||||
absFilePath = directory.absoluteFilePath(path + name);
|
||||
absFilePath = FS::PathCombine(target, path + name);
|
||||
}
|
||||
|
||||
if (!absDirectoryUrl.isParentOf(QUrl::fromLocalFile(absFilePath))) {
|
||||
qWarning() << "Extracting" << name << "was cancelled, because it was effectively outside of the target path" << target;
|
||||
return std::nullopt;
|
||||
}
|
||||
|
||||
if (!JlCompress::extractFile(zip, "", absFilePath))
|
||||
|
Loading…
x
Reference in New Issue
Block a user