root
/
rubyzip
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix CVE-2018-1000544 symlink path traversal 

Not sure if the exception is the right way to go
This commit is contained in:
Bart de Water 2018-07-01 16:45:06 -04:00
parent 6e0d23178a
commit 8e78311d67
3 changed files with 13 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
lib/zip/entry.rb
View File

@ -154,6 +154,9 @@ module Zip
elsif @name.squeeze('/') =~ /\.{2}(?:\/|\z)/ elsif @name.squeeze('/') =~ /\.{2}(?:\/|\z)/
puts "WARNING: skipped \"../\" path component(s) in #{@name}" puts "WARNING: skipped \"../\" path component(s) in #{@name}"
return self return self
elsif symlink? && get_input_stream.read =~ %r{../..}
puts "WARNING: skipped \"#{get_input_stream.read}\" symlink path in #{@name}"
return self
end end
dest_path ||= @name dest_path ||= @name

BIN
test/data/symlink.zip Normal file
View File

Binary file not shown.

10
test/entry_test.rb
View File

@ -177,4 +177,14 @@ class ZipEntryTest < MiniTest::Test
assert File.exist?("#{path}/tmp/file.txt") assert File.exist?("#{path}/tmp/file.txt")
end end
def test_entry_name_with_relative_symlink
assert_raises Errno::ENOENT do
Zip::File.open('test/data/symlink.zip') do |zip_file|
zip_file.each do |entry|
entry.extract
end
end
end
end
end end