From 278de1cf266300f79527a23221b7cb6dda260d90 Mon Sep 17 00:00:00 2001
From: Natalia Portillo <claunia@claunia.com>
Date: Sun, 8 Oct 2023 00:23:07 +0100
Subject: [PATCH] [Archive extraction] Remove leading slashes to prevent
 absolute path attack.

---
 Aaru/Commands/Archive/Extract.cs | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/Aaru/Commands/Archive/Extract.cs b/Aaru/Commands/Archive/Extract.cs
index 8961ab6f2..22ca56a59 100644
--- a/Aaru/Commands/Archive/Extract.cs
+++ b/Aaru/Commands/Archive/Extract.cs
@@ -258,6 +258,9 @@ sealed class ArchiveExtractCommand : Command
                                         Replace('/',  '\\');
                 }
 
+                // Prevent absolute path attack
+                fileName = fileName.TrimStart('\\').TrimStart('/');
+
                 string outputPath     = Path.Combine(outputDir, fileName);
                 string destinationDir = Path.GetDirectoryName(outputPath);
                 if(destinationDir is not null)