aaru-dps/Aaru
1
0
Fork 0
mirror of https://github.com/aaru-dps/Aaru.git synced 2025-12-16 19:24:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

[Archive extraction] Remove leading slashes to prevent absolute path attack.

Browse Source
This commit is contained in:
Natalia Portillo
2023-10-08 00:23:07 +01:00
parent 34611a90c9
commit 278de1cf26
1 changed files with 3 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
Aaru/Commands/Archive/Extract.cs
View File

@@ -258,6 +258,9 @@ sealed class ArchiveExtractCommand : Command
Replace('/', '\\');
}
// Prevent absolute path attack
fileName = fileName.TrimStart('\\').TrimStart('/');
string outputPath = Path.Combine(outputDir, fileName);
string destinationDir = Path.GetDirectoryName(outputPath);
if(destinationDir is not null)