You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@commons.apache.org by bo...@apache.org on 2018/06/15 17:46:19 UTC
commons-compress git commit: fix edge case vulnerability detected by
@DidierLoiseau
Repository: commons-compress
Updated Branches:
refs/heads/master ba12419e6 -> a080293da
fix edge case vulnerability detected by @DidierLoiseau
While this allows a path traversal attack it can only be exploited in
a special edge case.
Project: http://git-wip-us.apache.org/repos/asf/commons-compress/repo
Commit: http://git-wip-us.apache.org/repos/asf/commons-compress/commit/a080293d
Tree: http://git-wip-us.apache.org/repos/asf/commons-compress/tree/a080293d
Diff: http://git-wip-us.apache.org/repos/asf/commons-compress/diff/a080293d
Branch: refs/heads/master
Commit: a080293da69f3fe3d11d5214432e1469ee195870
Parents: ba12419
Author: Stefan Bodewig <bo...@apache.org>
Authored: Fri Jun 15 19:44:45 2018 +0200
Committer: Stefan Bodewig <bo...@apache.org>
Committed: Fri Jun 15 19:46:02 2018 +0200
----------------------------------------------------------------------
src/changes/changes.xml | 6 ++++++
.../compress/archivers/examples/Expander.java | 2 +-
.../archivers/examples/ExpanderTest.java | 21 ++++++++++++++++++++
3 files changed, 28 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/commons-compress/blob/a080293d/src/changes/changes.xml
----------------------------------------------------------------------
diff --git a/src/changes/changes.xml b/src/changes/changes.xml
index 3195582..ef0a7c9 100644
--- a/src/changes/changes.xml
+++ b/src/changes/changes.xml
@@ -44,6 +44,12 @@ The <action> type attribute can be add,update,fix,remove.
<body>
<release version="1.18" date="not released, yet"
description="Release 1.18">
+ <action type="fix" date="2018-06-15" due-to="DidierLoiseau">
+ The example Expander class has been vulnerable to a path
+ traversal in the edge case that happens when the target
+ directory has a sibling directory and the name of the target
+ directory is a prefix of the sibling directory's name.
+ </action>
</release>
<release version="1.17" date="2018-06-03"
description="Release 1.17">
http://git-wip-us.apache.org/repos/asf/commons-compress/blob/a080293d/src/main/java/org/apache/commons/compress/archivers/examples/Expander.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/commons/compress/archivers/examples/Expander.java b/src/main/java/org/apache/commons/compress/archivers/examples/Expander.java
index acdf4dc..5644451 100644
--- a/src/main/java/org/apache/commons/compress/archivers/examples/Expander.java
+++ b/src/main/java/org/apache/commons/compress/archivers/examples/Expander.java
@@ -238,7 +238,7 @@ public class Expander {
private void expand(ArchiveEntrySupplier supplier, EntryWriter writer, File targetDirectory)
throws IOException {
- String targetDirPath = targetDirectory.getCanonicalPath();
+ String targetDirPath = targetDirectory.getCanonicalPath() + File.separatorChar;
ArchiveEntry nextEntry = supplier.getNextReadableEntry();
while (nextEntry != null) {
File f = new File(targetDirectory, nextEntry.getName());
http://git-wip-us.apache.org/repos/asf/commons-compress/blob/a080293d/src/test/java/org/apache/commons/compress/archivers/examples/ExpanderTest.java
----------------------------------------------------------------------
diff --git a/src/test/java/org/apache/commons/compress/archivers/examples/ExpanderTest.java b/src/test/java/org/apache/commons/compress/archivers/examples/ExpanderTest.java
index 751f010..d14a273 100644
--- a/src/test/java/org/apache/commons/compress/archivers/examples/ExpanderTest.java
+++ b/src/test/java/org/apache/commons/compress/archivers/examples/ExpanderTest.java
@@ -43,6 +43,7 @@ import org.apache.commons.compress.archivers.sevenz.SevenZOutputFile;
import org.apache.commons.compress.archivers.zip.ZipFile;
import org.apache.commons.compress.utils.IOUtils;
import org.junit.Assert;
+import org.junit.Assume;
import org.junit.Rule;
import org.junit.Test;
import org.junit.rules.ExpectedException;
@@ -130,6 +131,26 @@ public class ExpanderTest extends AbstractTestCase {
}
}
+ @Test
+ public void fileCantEscapeDoubleDotPathWithSimilarSibling() throws IOException, ArchiveException {
+ String sibling = resultDir.getName() + "x";
+ File s = new File(resultDir.getParentFile(), sibling);
+ Assume.assumeFalse(s.exists());
+ s.mkdirs();
+ Assume.assumeTrue(s.exists());
+ s.deleteOnExit();
+ try {
+ thrown.expect(IOException.class);
+ thrown.expectMessage("expanding ../" + sibling + "/a would create file outside of");
+ setupZip("../" + sibling + "/a");
+ try (ZipFile f = new ZipFile(archive)) {
+ new Expander().expand(f, resultDir);
+ }
+ } finally {
+ tryHardToDelete(s);
+ }
+ }
+
private void setup7z() throws IOException, ArchiveException {
archive = new File(dir, "test.7z");
File dummy = new File(dir, "x");