go/mailpit
1
0
Fork 0
mirror of https://github.com/axllent/mailpit.git synced 2025-07-15 01:25:10 +02:00
Code Issues Releases Activity

Security: Don't allow tar files containing a ".."

Browse Source
This commit is contained in:
Ralph Slooten
2022-08-07 00:26:18 +12:00
parent 788e390e01
commit 544f0175d9
1 changed files with 5 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
updater/targz.go
View File

@ -8,6 +8,7 @@ import (
"io" "io"
"os" "os"
"path/filepath" "path/filepath"
"strings"
"syscall" "syscall"
) )
@ -184,6 +185,10 @@ func extract(filePath string, directory string) error {
} }
fileInfo := header.FileInfo() fileInfo := header.FileInfo()
// paths could contain a '..', is used in a file system operations
if strings.Contains(fileInfo.Name(), "..") {
continue
}
dir := filepath.Join(directory, filepath.Dir(header.Name)) dir := filepath.Join(directory, filepath.Dir(header.Name))
filename := filepath.Join(dir, fileInfo.Name()) filename := filepath.Join(dir, fileInfo.Name())