You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@commons.apache.org by bo...@apache.org on 2019/10/12 10:29:43 UTC
[commons-compress] branch master updated: COMPRESS-495 remove
vulnerable and obsolete 7z extraction example
This is an automated email from the ASF dual-hosted git repository.
bodewig pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/commons-compress.git
The following commit(s) were added to refs/heads/master by this push:
new 205876d COMPRESS-495 remove vulnerable and obsolete 7z extraction example
205876d is described below
commit 205876d6f9eb60ac31f3ec848b23d025f32995ab
Author: Stefan Bodewig <bo...@apache.org>
AuthorDate: Sat Oct 12 12:29:13 2019 +0200
COMPRESS-495 remove vulnerable and obsolete 7z extraction example
---
src/changes/changes.xml | 6 ++++
.../commons/compress/archivers/sevenz/CLI.java | 40 +---------------------
2 files changed, 7 insertions(+), 39 deletions(-)
diff --git a/src/changes/changes.xml b/src/changes/changes.xml
index bae3bbe..753d303 100644
--- a/src/changes/changes.xml
+++ b/src/changes/changes.xml
@@ -59,6 +59,12 @@ The <action> type attribute can be add,update,fix,remove.
Deflate64CompressorInputStream.read would return 0 for some
inputs in violation of the InputStream.read contract.
</action>
+ <action issue="COMPRESS-495" type="remove" date="2019-10-12">
+ Removed the extraction code from the example CLI class inside
+ of the SevenZ package. Not only is it superseeded by the
+ examples package, its implementation was vulnerable to the
+ ZipSlip attack.
+ </action>
</release>
<release version="1.19" date="2019-08-27"
description="Release 1.19
diff --git a/src/main/java/org/apache/commons/compress/archivers/sevenz/CLI.java b/src/main/java/org/apache/commons/compress/archivers/sevenz/CLI.java
index afa5371..66afeed 100644
--- a/src/main/java/org/apache/commons/compress/archivers/sevenz/CLI.java
+++ b/src/main/java/org/apache/commons/compress/archivers/sevenz/CLI.java
@@ -63,44 +63,6 @@ public class CLI {
}
return sb.toString();
}
- },
- EXTRACT("Extracting") {
- private final byte[] buf = new byte[8192];
- @Override
- public void takeAction(final SevenZFile archive, final SevenZArchiveEntry entry)
- throws IOException {
- final File outFile = new File(entry.getName());
- if (entry.isDirectory()) {
- if (!outFile.isDirectory() && !outFile.mkdirs()) {
- throw new IOException("Cannot create directory " + outFile);
- }
- System.out.println("created directory " + outFile);
- return;
- }
-
- System.out.println("extracting to " + outFile);
- final File parent = outFile.getParentFile();
- if (parent != null && !parent.exists() && !parent.mkdirs()) {
- throw new IOException("Cannot create " + parent);
- }
- try (final OutputStream fos = Files.newOutputStream(outFile.toPath())) {
- final long total = entry.getSize();
- long off = 0;
- while (off < total) {
- final int toRead = (int) Math.min(total - off, buf.length);
- final int bytesRead = archive.read(buf, 0, toRead);
- if (bytesRead < 1) {
- throw new IOException("Reached end of entry "
- + entry.getName()
- + " after " + off
- + " bytes, expected "
- + total);
- }
- off += bytesRead;
- fos.write(buf, 0, bytesRead);
- }
- }
- }
};
private final String message;
@@ -134,7 +96,7 @@ public class CLI {
}
private static void usage() {
- System.out.println("Parameters: archive-name [list|extract]");
+ System.out.println("Parameters: archive-name [list]");
}
private static Mode grabMode(final String[] args) {