commons-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Stefan Bodewig (Jira)" <j...@apache.org>
Subject [jira] [Commented] (COMPRESS-495) Zip Slip in SevenZ CLI
Date Tue, 08 Oct 2019 12:00:00 GMT

    [ https://issues.apache.org/jira/browse/COMPRESS-495?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16946774#comment-16946774
] 

Stefan Bodewig commented on COMPRESS-495:
-----------------------------------------

Thanks Gabor, you are certainly correct. We somehow forgot about that class when we dealt
with the initial Zip Slip report.

 

Fortunately this class is very unlikely to be used by anybody, but we should - and will -
certainly fix it.

> Zip Slip in SevenZ CLI
> ----------------------
>
>                 Key: COMPRESS-495
>                 URL: https://issues.apache.org/jira/browse/COMPRESS-495
>             Project: Commons Compress
>          Issue Type: Bug
>          Components: Archivers
>            Reporter: Gabor Molnar
>            Priority: Major
>
> The SevenZ decompressor doesn't check that the file to be extracted is escaping the current
directory or not.
> Vulnerable code: [https://github.com/apache/commons-compress/blob/26b78cecfc1ca0e5daf03109b2c441f960bde678/src/main/java/org/apache/commons/compress/archivers/sevenz/CLI.java#L67]
> In another place in the repository, there is a safe implementation that was added as
an example when the Zip Slip vulnerability was originally published: https://github.com/apache/commons-compress/blob/1a14a23a05f7104e3d41a25a0f7e78ae1556285e/src/main/java/org/apache/commons/compress/archivers/examples/Expander.java#L308



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Mime
View raw message