fix directory traversal issues in miniunzip

bug-debian: https://bugs.debian.org/774321 bug-debian: https://bugs.debian.org/776831 Gbp-Pq: Name traversal.patch
2022-05-14 03:40:09 +08:00 · 2022-05-14 03:40:09 +08:00 · bb6b6080f5
parent cb8c4f3a8e
commit bb6b6080f5
1 changed files with 14 additions and 0 deletions
--- a/miniunz.c
+++ b/miniunz.c
@ -355,6 +355,20 @@ int do_extract_currentfile(uf,popt_extract_without_path,popt_overwrite,password)
        else
            write_filename = filename_withoutpath;

+        if (write_filename[0]!='\0')
+        {
+            const char* relative_check = write_filename;
+            while (relative_check[1]!='\0')
+            {
+                if (relative_check[0]=='.' && relative_check[1]=='.')
+                    write_filename = relative_check;
+                relative_check++;
+            }
+        }
+
+        while (write_filename[0]=='/' || write_filename[0]=='.')
+            write_filename++;
+
        err = unzOpenCurrentFilePassword(uf,password);
        if (err!=UNZ_OK)
        {