root
/
rubyzip
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Allow tilde in zip entry names 

Use absolute_path rather than expand_path to allow tilde to pass through
unchanged. Otherwise, we try to expand it to a home directory.
This commit is contained in:
John Lees-Miller 2019-03-03 14:46:49 +00:00
parent 8ece5c9988
commit ad15c3c494
3 changed files with 8 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
lib/zip/entry.rb
View File

@ -118,7 +118,7 @@ module Zip
return false unless cleanpath.relative? return false unless cleanpath.relative?
root = ::File::SEPARATOR root = ::File::SEPARATOR
naive_expanded_path = ::File.join(root, cleanpath.to_s) naive_expanded_path = ::File.join(root, cleanpath.to_s)
cleanpath.expand_path(root).to_s == naive_expanded_path ::File.absolute_path(cleanpath.to_s, root) == naive_expanded_path
end end
def local_entry_offset #:nodoc:all def local_entry_offset #:nodoc:all

BIN
test/data/path_traversal/tilde.zip Normal file
View File

Binary file not shown.

7
test/path_traversal_test.rb
View File

@ -131,4 +131,11 @@ class PathTraversalTest < MiniTest::Test
refute File.exist?('/tmp/file.txt') refute File.exist?('/tmp/file.txt')
end end
end end
def test_entry_name_with_tilde
in_tmpdir do
extract_path_traversal_zip 'tilde.zip'
assert File.exist?('~tilde~')
end
end
end end