You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@commons.apache.org by DidierLoiseau <gi...@git.apache.org> on 2018/06/15 12:15:34 UTC
[GitHub] commons-compress pull request #:
Github user DidierLoiseau commented on the pull request:
https://github.com/apache/commons-compress/commit/97867f6fa3634c77dfafd76c89ecb1087f5cd1ae#commitcomment-29378554
In src/main/java/org/apache/commons/compress/archivers/Expander.java:
In src/main/java/org/apache/commons/compress/archivers/Expander.java on line 359:
This check still allows to extract to a sibling directory of the `targetDirectory` if the `targetDirectory` name is a prefix of that sibling directory, doesn't it? `targetDirPath` should include the `File.separator` as shown in [the example on Snyk](https://snyk.io/research/zip-slip-vulnerability#java).
---