You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@commons.apache.org by DidierLoiseau <gi...@git.apache.org> on 2018/06/15 12:15:34 UTC

[GitHub] commons-compress pull request #:

Github user DidierLoiseau commented on the pull request:

    https://github.com/apache/commons-compress/commit/97867f6fa3634c77dfafd76c89ecb1087f5cd1ae#commitcomment-29378554
  
    In src/main/java/org/apache/commons/compress/archivers/Expander.java:
    In src/main/java/org/apache/commons/compress/archivers/Expander.java on line 359:
    This check still allows to extract to a sibling directory of the `targetDirectory` if the `targetDirectory` name is a prefix of that sibling directory, doesn't it? `targetDirPath` should include the `File.separator` as shown in [the example on Snyk](https://snyk.io/research/zip-slip-vulnerability#java).


---