Skip to content

Commit 9385686

Browse files
wwqgtxxwwqgtxx
committed
chore: stricter path checking when unpacking zip/gtz
1 parent ed42c4f commit 9385686

File tree

1 file changed

+11
-2
lines changed

1 file changed

+11
-2
lines changed

component/updater/update_ui.go

Lines changed: 11 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -221,7 +221,7 @@ func unzip(src, dest string) (string, error) {
221221
fpath = filepath.Join(extractedFolder, f.Name)
222222
}
223223

224-
if !strings.HasPrefix(fpath, filepath.Clean(dest)+string(os.PathSeparator)) {
224+
if !inDest(fpath, dest) {
225225
return "", fmt.Errorf("invalid file path: %s", fpath)
226226
}
227227
info := f.FileInfo()
@@ -344,7 +344,7 @@ func untgz(src, dest string) (string, error) {
344344
fpath = filepath.Join(extractedFolder, cleanTarPath(header.Name))
345345
}
346346

347-
if !strings.HasPrefix(fpath, filepath.Clean(dest)+string(os.PathSeparator)) {
347+
if !inDest(fpath, dest) {
348348
return "", fmt.Errorf("invalid file path: %s", fpath)
349349
}
350350

@@ -421,3 +421,12 @@ func cleanup(root string) error {
421421
return nil
422422
})
423423
}
424+
425+
func inDest(fpath, dest string) bool {
426+
if rel, err := filepath.Rel(dest, fpath); err == nil {
427+
if filepath.IsLocal(rel) {
428+
return true
429+
}
430+
}
431+
return false
432+
}

0 commit comments

Comments
 (0)