Headline
CVE-2020-36561: Merge pull request #1 from snoopysecurity/fix/santize-filename-paths · yi-ge/unzip@2adbaa4
Due to improper path santization, archives containing relative file paths can cause files to be written (or overwritten) outside of the target directory.
@@ -12,6 +12,8 @@ import (
“path/filepath”
“runtime”
“time”
“strings”
“fmt”
)
var (
@@ -120,6 +122,9 @@ func (uz Unzip) Extract() error {
}()
path := filepath.Join(uz.Dest, f.Name)
if !strings.HasPrefix(path, filepath.Clean(uz.Dest)+string(os.PathSeparator)) {
return fmt.Errorf("%s: illegal file path", path)
}
if f.FileInfo().IsDir() {
os.MkdirAll(path, f.Mode())
Related news
GHSA-f5c5-hmw9-v8hx: Unzip vulnerable to path traversal
Due to improper path santization, archives containing relative file paths can cause files to be written (or overwritten) outside of the target directory.