Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

plugin-ext: validate path when unpacking archives #7322

Closed
wants to merge 1 commit into from

Commits on Mar 13, 2020

  1. plugin-ext: validate path when unpacking archives

    Fix zip-slip by validating where a given file will be unpacked. If the
    expected path is outside of the destination folder: log a warning and
    ignore the file.
    
    This commit includes an archive that will trigger the exploit by writing
    a file to `/tmp/slipped.txt`. This comes from magicOz, who reported the
    vulnerability on kevva's decompress repository (issue 71).
    
    Fixes #7319
    
    Signed-off-by: Paul Maréchal <[email protected]>
    paul-marechal committed Mar 13, 2020
    Configuration menu
    Copy the full SHA
    a869853 View commit details
    Browse the repository at this point in the history