Mirrorlandia_minetest/minetest
1
0
Fork 1
mirror of https://github.com/minetest/minetest.git synced 2024-11-23 08:03:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix path traversal in mainmenu's extract_zip

Browse Source
This commit is contained in:
sfan5 2024-07-08 22:13:04 +02:00
parent bb3f271a20
commit a6121c7f67
1 changed files with 13 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
src/filesys.cpp
View File

@ -954,13 +954,22 @@ bool extractZipFile(io::IFileSystem *fs, const char *filename, const std::string
const io::IFileList* files_in_zip = opened_zip->getFileList();
for (u32 i = 0; i < files_in_zip->getFileCount(); i++) {
std::string fullpath = destination + DIR_DELIM;
fullpath += files_in_zip->getFullFileName(i).c_str();
std::string fullpath_dir = fs::RemoveLastPathComponent(fullpath);
if (files_in_zip->isDirectory(i))
continue; // ignore, we create dirs as necessary
const auto &filename = files_in_zip->getFullFileName(i);
std::string fullpath = destination + DIR_DELIM;
fullpath += filename.c_str();
fullpath = fs::RemoveRelativePathComponents(fullpath);
if (!fs::PathStartsWith(fullpath, destination)) {
warningstream << "fs::extractZipFile(): refusing to extract file \""
<< filename.c_str() << "\"" << std::endl;
continue;
}
std::string fullpath_dir = fs::RemoveLastPathComponent(fullpath);
if (!fs::PathExists(fullpath_dir) && !fs::CreateAllDirs(fullpath_dir))
return false;