generic-library/poco
1
0
Fork 0
mirror of https://github.com/pocoproject/poco.git synced 2024-12-12 18:20:26 +01:00
Code Issues Projects Releases Wiki Activity

fixed #331: Poco::Zip does not support files with .. in the name.

Browse Source
This commit is contained in:
Guenter Obiltschnig 2014-11-21 10:08:52 +01:00
parent 6ddce4c9ff
commit f09ed71a47
5 changed files with 25 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Zip/include/Poco/Zip/ZipCommon.h
View File

@ -90,7 +90,9 @@ public:
FT_ASCII = 1
};
static const std::string ILLEGAL_PATH;
static bool isValidPath(const std::string& path);
/// Checks whether the given path is valid (does
/// not contain ".." path segments).
};

4
Zip/src/Compress.cpp
View File

@ -192,8 +192,8 @@ void Compress::addDirectory(const Poco::Path& entryName, const Poco::DateTime& l
throw ZipException("Illegal entry name /");
if (fileStr.empty())
throw ZipException("Illegal empty entry name");
if (fileStr.find(ZipCommon::ILLEGAL_PATH) != std::string::npos)
throw ZipException("Illegal entry name " + fileStr + " containing " + ZipCommon::ILLEGAL_PATH);
if (!ZipCommon::isValidPath(fileStr))
throw ZipException("Illegal entry name " + fileStr + " containing parent directory reference");
if (entryName.depth() > 1)
{

8
Zip/src/Decompress.cpp
View File

@ -81,8 +81,8 @@ bool Decompress::handleZipEntry(std::istream& zipStream, const ZipLocalFileHeade
if (!_flattenDirs)
{
std::string dirName = hdr.getFileName();
if (dirName.find(ZipCommon::ILLEGAL_PATH) != std::string::npos)
throw ZipException("Illegal entry name " + dirName + " containing " + ZipCommon::ILLEGAL_PATH);
if (!ZipCommon::isValidPath(dirName))
throw ZipException("Illegal entry name " + dirName + " containing parent directory reference");
Poco::Path dir(_outDir, dirName);
dir.makeDirectory();
Poco::File aFile(dir);
@ -101,8 +101,8 @@ bool Decompress::handleZipEntry(std::istream& zipStream, const ZipLocalFileHeade
fileName = p.getFileName();
}
if (fileName.find(ZipCommon::ILLEGAL_PATH) != std::string::npos)
throw ZipException("Illegal entry name " + fileName + " containing " + ZipCommon::ILLEGAL_PATH);
if (!ZipCommon::isValidPath(fileName))
throw ZipException("Illegal entry name " + fileName + " containing parent directory reference");
Poco::Path file(fileName);
file.makeFile();

15
Zip/src/ZipCommon.cpp
View File

@ -21,7 +21,20 @@ namespace Poco {
namespace Zip {
const std::string ZipCommon::ILLEGAL_PATH("..");
bool ZipCommon::isValidPath(const std::string& path)
{
if (path == "..")
return false;
if (path.compare(0, 3, "../") == 0)
return false;
if (path.compare(0, 3, "..\\") == 0)
return false;
if (path.find("/..") != std::string::npos)
return false;
if (path.find("\\..") != std::string::npos)
return false;
return true;
}
} } // namespace Poco::Zip

4
Zip/src/ZipUtil.cpp
View File

@ -176,8 +176,8 @@ void ZipUtil::verifyZipEntryFileName(const std::string& fn)
throw ZipException("Illegal entry name /");
if (fn.empty())
throw ZipException("Illegal empty entry name");
if (fn.find(ZipCommon::ILLEGAL_PATH) != std::string::npos)
throw ZipException("Illegal entry name " + fn + " containing " + ZipCommon::ILLEGAL_PATH);
if (!ZipCommon::isValidPath(fn))
throw ZipException("Illegal entry name " + fn + " containing parent directory reference");
}