You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@commons.apache.org by bo...@apache.org on 2018/06/15 17:46:19 UTC

commons-compress git commit: fix edge case vulnerability detected by @DidierLoiseau

Repository: commons-compress
Updated Branches:
  refs/heads/master ba12419e6 -> a080293da


fix edge case vulnerability detected by @DidierLoiseau

While this allows a path traversal attack it can only be exploited in
a special edge case.


Project: http://git-wip-us.apache.org/repos/asf/commons-compress/repo
Commit: http://git-wip-us.apache.org/repos/asf/commons-compress/commit/a080293d
Tree: http://git-wip-us.apache.org/repos/asf/commons-compress/tree/a080293d
Diff: http://git-wip-us.apache.org/repos/asf/commons-compress/diff/a080293d

Branch: refs/heads/master
Commit: a080293da69f3fe3d11d5214432e1469ee195870
Parents: ba12419
Author: Stefan Bodewig <bo...@apache.org>
Authored: Fri Jun 15 19:44:45 2018 +0200
Committer: Stefan Bodewig <bo...@apache.org>
Committed: Fri Jun 15 19:46:02 2018 +0200

----------------------------------------------------------------------
 src/changes/changes.xml                         |  6 ++++++
 .../compress/archivers/examples/Expander.java   |  2 +-
 .../archivers/examples/ExpanderTest.java        | 21 ++++++++++++++++++++
 3 files changed, 28 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/commons-compress/blob/a080293d/src/changes/changes.xml
----------------------------------------------------------------------
diff --git a/src/changes/changes.xml b/src/changes/changes.xml
index 3195582..ef0a7c9 100644
--- a/src/changes/changes.xml
+++ b/src/changes/changes.xml
@@ -44,6 +44,12 @@ The <action> type attribute can be add,update,fix,remove.
   <body>
     <release version="1.18" date="not released, yet"
              description="Release 1.18">
+      <action type="fix" date="2018-06-15" due-to="DidierLoiseau">
+        The example Expander class has been vulnerable to a path
+        traversal in the edge case that happens when the target
+        directory has a sibling directory and the name of the target
+        directory is a prefix of the sibling directory's name.
+      </action>
     </release>
     <release version="1.17" date="2018-06-03"
              description="Release 1.17">

http://git-wip-us.apache.org/repos/asf/commons-compress/blob/a080293d/src/main/java/org/apache/commons/compress/archivers/examples/Expander.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/commons/compress/archivers/examples/Expander.java b/src/main/java/org/apache/commons/compress/archivers/examples/Expander.java
index acdf4dc..5644451 100644
--- a/src/main/java/org/apache/commons/compress/archivers/examples/Expander.java
+++ b/src/main/java/org/apache/commons/compress/archivers/examples/Expander.java
@@ -238,7 +238,7 @@ public class Expander {
 
     private void expand(ArchiveEntrySupplier supplier, EntryWriter writer, File targetDirectory)
         throws IOException {
-        String targetDirPath = targetDirectory.getCanonicalPath();
+        String targetDirPath = targetDirectory.getCanonicalPath() + File.separatorChar;
         ArchiveEntry nextEntry = supplier.getNextReadableEntry();
         while (nextEntry != null) {
             File f = new File(targetDirectory, nextEntry.getName());

http://git-wip-us.apache.org/repos/asf/commons-compress/blob/a080293d/src/test/java/org/apache/commons/compress/archivers/examples/ExpanderTest.java
----------------------------------------------------------------------
diff --git a/src/test/java/org/apache/commons/compress/archivers/examples/ExpanderTest.java b/src/test/java/org/apache/commons/compress/archivers/examples/ExpanderTest.java
index 751f010..d14a273 100644
--- a/src/test/java/org/apache/commons/compress/archivers/examples/ExpanderTest.java
+++ b/src/test/java/org/apache/commons/compress/archivers/examples/ExpanderTest.java
@@ -43,6 +43,7 @@ import org.apache.commons.compress.archivers.sevenz.SevenZOutputFile;
 import org.apache.commons.compress.archivers.zip.ZipFile;
 import org.apache.commons.compress.utils.IOUtils;
 import org.junit.Assert;
+import org.junit.Assume;
 import org.junit.Rule;
 import org.junit.Test;
 import org.junit.rules.ExpectedException;
@@ -130,6 +131,26 @@ public class ExpanderTest extends AbstractTestCase {
         }
     }
 
+    @Test
+    public void fileCantEscapeDoubleDotPathWithSimilarSibling() throws IOException, ArchiveException {
+        String sibling = resultDir.getName() + "x";
+        File s = new File(resultDir.getParentFile(), sibling);
+        Assume.assumeFalse(s.exists());
+        s.mkdirs();
+        Assume.assumeTrue(s.exists());
+        s.deleteOnExit();
+        try {
+            thrown.expect(IOException.class);
+            thrown.expectMessage("expanding ../" + sibling + "/a would create file outside of");
+            setupZip("../" + sibling + "/a");
+            try (ZipFile f = new ZipFile(archive)) {
+                new Expander().expand(f, resultDir);
+            }
+        } finally {
+            tryHardToDelete(s);
+        }
+    }
+
     private void setup7z() throws IOException, ArchiveException {
         archive = new File(dir, "test.7z");
         File dummy = new File(dir, "x");