change handling of invalid zip entries and add test case

core/src/main/java/lucee/commons/io/compress/CompressUtil.java

@@ -269,7 +269,7 @@ private static void unzip(Resource zipFile,Resource targetDir) throws IOExceptio
 	        zis = new ZipInputStream( IOUtil.toBufferedInputStream(zipFile.getInputStream()) ) ;     
 	        ZipEntry entry;
 	        while ( ( entry = zis.getNextEntry()) != null ) {
-	        	Resource target=targetDir.getRealResource(entry.getName());
+	        	Resource target=ZipUtil.toResource(targetDir, entry);
 	            if(entry.isDirectory()) {
 	                target.mkdirs();
 	            }
@@ -322,7 +322,7 @@ private static void unzip2(File zipFile,Resource targetDir) throws IOException {
 	        Enumeration en = zf.entries();
 	        while(en.hasMoreElements()){
 	        	entry = (ZipEntry) en.nextElement();
-	        	Resource target=targetDir.getRealResource(entry.getName());
+	        	Resource target=ZipUtil.toResource(targetDir, entry);
 	            if(entry.isDirectory()) {
 	                target.mkdirs();
 	            }

core/src/main/java/lucee/commons/io/compress/ZipUtil.java

@@ -19,11 +19,13 @@
 package lucee.commons.io.compress;
 
 import java.io.IOException;
+import java.util.zip.ZipEntry;
 import java.util.zip.ZipFile;
 import java.util.zip.ZipOutputStream;
 
 import lucee.commons.cli.Command;
 import lucee.commons.io.res.Resource;
+import lucee.runtime.type.util.ListUtil;
 
 public final class ZipUtil {
 
@@ -56,4 +58,14 @@ public static void close(ZipFile file) {
 		} 
 		catch (IOException e) {}
 	}
+
+	public static Resource toResource(Resource targetDir, ZipEntry entry) throws IOException {
+		Resource target = targetDir.getRealResource(entry.getName());
+
+		// in case a file is outside the target directory, we copy it to the target directory
+		if(!target.getCanonicalPath().startsWith(targetDir.getCanonicalPath())) {
+			target=targetDir.getRealResource(ListUtil.last(entry.getName(), "\\/",true));
+		}
+		return target;
+	}
 }

core/src/main/java/lucee/runtime/tag/Zip.java

@@ -484,7 +484,7 @@ private void actionUnzip() throws ApplicationException, IOException {
 					continue;
 				}
 
-				target = destination.getRealResource(entry.getName());
+				target = ZipUtil.toResource(destination, entry);
 
 				// filter
 				if(filter != null && !filter.accept(target)) {

loader/build.xml

@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <project default="core" basedir="." name="Lucee" xmlns:artifact="antlib:org.apache.maven.artifact.ant">
 
-  <property name="version" value="5.2.7.62-SNAPSHOT"/>
+  <property name="version" value="5.2.7.63-SNAPSHOT"/>
 
   <path id="maven-ant-tasks.classpath" path="../ant/lib/maven-ant-tasks-2.1.3.jar" />
   <typedef resource="org/apache/maven/artifact/ant/antlib.xml"

loader/pom.xml

@@ -3,7 +3,7 @@
 
   <groupId>org.lucee</groupId>
   <artifactId>lucee</artifactId>
-  <version>5.2.7.62-SNAPSHOT</version>
+  <version>5.2.7.63-SNAPSHOT</version>
   <packaging>jar</packaging>
 
   <name>Lucee Loader Build</name>

test/tags/Zip.cfc

@@ -82,5 +82,35 @@ component extends="org.lucee.cfml.test.LuceeTestCase"	{
 		}
 	}
 
+	public function testInvalidEntryName() {
+		var curr=getDirectoryFromPath(getCurrentTemplatePath());
+		var trg=curr&"zip/"
+		trg2=trg&"sub/sub/";
+		if(directoryExists(trg)) directoryDelete(trg,true);
+		directoryCreate(trg);
+		directoryCreate(trg2);
+
+
+		try{
+			// create the test zip
+			zip action="zip" file="#trg#test.zip"{
+				zipparam entrypath="../../invalidpath.txt" content="test a invalid path";
+			}
+
+			// unzip the created zip
+			zip action="unzip" file="#trg#test.zip" destination=trg2;
+
+			// is the file in the right place
+			assertTrue(fileExists("#trg2#invalidpath.txt"));
+			assertFalse(fileExists("#trg#invalidpath.txt"));
+		}
+		finally {
+			if(directoryExists(trg)) directoryDelete(trg,true);
+		}
+
+
+	}
+
+
 } 
 </cfscript>