diff --git a/core/src/main/java/lucee/commons/io/compress/CompressUtil.java b/core/src/main/java/lucee/commons/io/compress/CompressUtil.java index e27cebff5d..052232bbcc 100644 --- a/core/src/main/java/lucee/commons/io/compress/CompressUtil.java +++ b/core/src/main/java/lucee/commons/io/compress/CompressUtil.java @@ -269,7 +269,7 @@ private static void unzip(Resource zipFile,Resource targetDir) throws IOExceptio zis = new ZipInputStream( IOUtil.toBufferedInputStream(zipFile.getInputStream()) ) ; ZipEntry entry; while ( ( entry = zis.getNextEntry()) != null ) { - Resource target=targetDir.getRealResource(entry.getName()); + Resource target=ZipUtil.toResource(targetDir, entry); if(entry.isDirectory()) { target.mkdirs(); } @@ -322,7 +322,7 @@ private static void unzip2(File zipFile,Resource targetDir) throws IOException { Enumeration en = zf.entries(); while(en.hasMoreElements()){ entry = (ZipEntry) en.nextElement(); - Resource target=targetDir.getRealResource(entry.getName()); + Resource target=ZipUtil.toResource(targetDir, entry); if(entry.isDirectory()) { target.mkdirs(); } diff --git a/core/src/main/java/lucee/commons/io/compress/ZipUtil.java b/core/src/main/java/lucee/commons/io/compress/ZipUtil.java index a16b352057..896c7cd81d 100644 --- a/core/src/main/java/lucee/commons/io/compress/ZipUtil.java +++ b/core/src/main/java/lucee/commons/io/compress/ZipUtil.java @@ -19,11 +19,13 @@ package lucee.commons.io.compress; import java.io.IOException; +import java.util.zip.ZipEntry; import java.util.zip.ZipFile; import java.util.zip.ZipOutputStream; import lucee.commons.cli.Command; import lucee.commons.io.res.Resource; +import lucee.runtime.type.util.ListUtil; public final class ZipUtil { @@ -56,4 +58,14 @@ public static void close(ZipFile file) { } catch (IOException e) {} } + + public static Resource toResource(Resource targetDir, ZipEntry entry) throws IOException { + Resource target = targetDir.getRealResource(entry.getName()); + + // in case a file is outside the target directory, we copy it to the target directory + if(!target.getCanonicalPath().startsWith(targetDir.getCanonicalPath())) { + target=targetDir.getRealResource(ListUtil.last(entry.getName(), "\\/",true)); + } + return target; + } } \ No newline at end of file diff --git a/core/src/main/java/lucee/runtime/tag/Zip.java b/core/src/main/java/lucee/runtime/tag/Zip.java index 8869d6f69f..49c1ad4cc0 100755 --- a/core/src/main/java/lucee/runtime/tag/Zip.java +++ b/core/src/main/java/lucee/runtime/tag/Zip.java @@ -484,7 +484,7 @@ private void actionUnzip() throws ApplicationException, IOException { continue; } - target = destination.getRealResource(entry.getName()); + target = ZipUtil.toResource(destination, entry); // filter if(filter != null && !filter.accept(target)) { diff --git a/loader/build.xml b/loader/build.xml index 6ad082c18e..9342f10170 100644 --- a/loader/build.xml +++ b/loader/build.xml @@ -1,7 +1,7 @@ - + org.lucee lucee - 5.2.7.62-SNAPSHOT + 5.2.7.63-SNAPSHOT jar Lucee Loader Build diff --git a/test/tags/Zip.cfc b/test/tags/Zip.cfc index edc0d71aa8..2cde1e29f5 100644 --- a/test/tags/Zip.cfc +++ b/test/tags/Zip.cfc @@ -82,5 +82,35 @@ component extends="org.lucee.cfml.test.LuceeTestCase" { } } + public function testInvalidEntryName() { + var curr=getDirectoryFromPath(getCurrentTemplatePath()); + var trg=curr&"zip/" + trg2=trg&"sub/sub/"; + if(directoryExists(trg)) directoryDelete(trg,true); + directoryCreate(trg); + directoryCreate(trg2); + + + try{ + // create the test zip + zip action="zip" file="#trg#test.zip"{ + zipparam entrypath="../../invalidpath.txt" content="test a invalid path"; + } + + // unzip the created zip + zip action="unzip" file="#trg#test.zip" destination=trg2; + + // is the file in the right place + assertTrue(fileExists("#trg2#invalidpath.txt")); + assertFalse(fileExists("#trg#invalidpath.txt")); + } + finally { + if(directoryExists(trg)) directoryDelete(trg,true); + } + + + } + + }